Fake Job Interviews Are Installing Backdoors on Developer Machines

Microsoft Defender Experts discovered a coordinated campaign targeting developers through malicious repositories disguised as Next.js projects and job assessment materials. Attackers use fake coding challenges on Bitbucket that execute backdoors through VS Code workspace automation, build-time execution, or server startup processes. All paths lead to a two-stage C2 system that turns developer machines into botnet nodes while stealing credentials, source code, and cloud infrastructure access.