Developer-targeting campaign using malicious Next.js repositories

Microsoft Defender details a coordinated developer-targeting campaign that uses recruiting-themed and Next.js repositories to trigger runtime retrieval and in-memory execution of attacker-controlled JavaScript. The report describes three execution paths (VS Code workspace tasks, trojanized dev-server assets, and backend startup that exfiltrates environment variables), a two-stage C2 (Stage 1 registrar and Stage 2 tasking controller), telemetry and IoCs (Vercel domains, IPs, URLs, filepaths, and file hashes), hunting queries, and actionable mitigation guidance to protect developer workflows and credentials.