Microsoft Defender Experts traced a developer-targeting campaign to malicious Next.js repositories seeded as legitimate projects, recruiting exercises, and technical assessments. The repositories used three execution paths that fit normal developer behavior: Visual Studio Code folder-open tasks, trojanized application assets triggered during npm or server startup, and backend modules that decoded endpoints, exfiltrated process environment variables, and executed attacker-supplied JavaScript with dynamic compilation. Each path led to staged Node.js command-and-control, beginning with host registration and bootstrap code before shifting to a controller that supported persistent tasking, in-memory execution, directory browsing, staged uploads, and operator-driven exfiltration. The activity matters because developer workstations often hold source code, secrets, cloud credentials, and build access, making job-themed repository lures a direct path into high-value software environments.