Comment by PeterisP

My guess would be persistence in other parts of their network used to get the credentials of that developer in some way. Perhaps some internal webapp; perhaps credential reuse with some other system; perhaps malware installed in some development tool or script that the developer would pull from some other company system and run on their machine. Perhaps even phishing, which is much more likely to succeed if you have compromised some actual coworkers' machine and can send the malware through whatever messaging system you use internally.