DigiNews

Summary

Microsoft Defender Experts exposed a campaign that uses fake Next.js projects and coding challenges to install a backdoor on developer machines. The attack operates via three execution paths—VS Code workspace automation, build-time injection, and server startup—and creates a two-stage C2, with IOCs including domains, IPs, and endpoints; practical defenses are outlined for developers and security teams.