Microsoft Warns of Malicious Next.js Repositories Targeting Developers
Microsoft has uncovered a sophisticated campaign where threat actors weaponize malicious Next.js repositories to compromise developers by disguising them as legitimate projects or technical assessments. The attack leverages Visual Studio Code and Node.js workflows to deploy a staged command-and-control (C2) backdoor without traditional malware installers.
The campaign was detected after suspicious outbound connections from Node.js processes to attacker-controlled infrastructure over HTTP port 3000 were observed beaconing at short intervals. Microsoft Defender Experts traced the activity to Bitbucket-hosted repositories, including one framed as a recruiting assessment and another labeled Cryptan-Platform-MVP1. Additional repositories sharing naming patterns like JP-soccer, RoyalJapan, and SettleMint along with variant labels such as v1, master, and demo were identified as part of the same malicious family.
The attack employs three execution paths:
- Workspace Automation Abuse – Malicious
.vscode/tasks.jsonfiles trigger Node.js tasks upon project opening, fetching a loader script from Vercel-hosted endpoints like price-oracle-v2.vercel.app. - Build-Time Execution – Trojanized assets (e.g., jquery.min.js) decode base64-encoded URLs during
npm run dev, pulling and executing payloads in memory. - Server Startup Exploitation – Backend routes and
.envvariables (e.g.,AUTH_API) decode attacker endpoints, exfiltrate environment variables, and execute remote JavaScript, exposing cloud keys and credentials.
All paths converge on a Stage 1 script that registers the compromised host, polls a C2 endpoint, and maintains persistence via a durable instanceId. Stage 2 upgrades this foothold into a long-lived controller, executing tasks through detached Node interpreters, browsing directories, and exfiltrating files via endpoints like /api/hsocketNext and /upload.
Microsoft recommends hardening developer workflows by enabling Visual Studio Code Workspace Trust, restricting automation file execution, and applying attack surface reduction rules in Defender for Endpoint. Detection strategies include monitoring Node.js outbound connections to Vercel domains and C2 paths like /api/errorMessage. Organizations using Microsoft Sentinel can operationalize these behaviors into hunting queries to identify similar threats.
Source: https://gbhackers.com/malicious-next-js-repositories/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1772000859",
"linkid": "microsoft-security-response-center",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Software Development',
'type': 'Developers'}],
'attack_vector': ['Malicious Repositories',
'Trojanized Assets',
'Workspace Automation Abuse'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Environment variables',
'Cloud keys']},
'description': 'Microsoft has uncovered a sophisticated campaign where threat '
'actors weaponize malicious Next.js repositories to compromise '
'developers by disguising them as legitimate projects or '
'technical assessments. The attack leverages Visual Studio '
'Code and Node.js workflows to deploy a staged '
'command-and-control (C2) backdoor without traditional malware '
'installers.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'supply chain compromise',
'data_compromised': ['Cloud keys',
'Credentials',
'Environment variables'],
'identity_theft_risk': 'High (exposure of PII and credentials)',
'operational_impact': 'Compromised developer workflows and '
'potential unauthorized access to sensitive '
'systems',
'systems_affected': ['Developer workstations',
'Node.js applications']},
'initial_access_broker': {'backdoors_established': ['Stage 1 C2 script',
'Stage 2 controller'],
'entry_point': 'Malicious Next.js repositories '
'hosted on Bitbucket',
'high_value_targets': ['Developers',
'Cloud credentials']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Developer workflows are high-value targets for supply '
'chain attacks. Hardening tools like Visual Studio Code '
'and enforcing strict execution policies can mitigate '
'risks.',
'motivation': ['Credential Theft',
'Data Exfiltration',
'Persistence Establishment'],
'post_incident_analysis': {'corrective_actions': ['Hardening developer tools',
'Enforcing execution '
'policies',
'Enhanced monitoring'],
'root_causes': ['Abuse of Visual Studio Code '
'workspace automation',
'Trojanized npm assets',
'Exploitation of Node.js execution '
'workflows']},
'recommendations': ['Enable Visual Studio Code Workspace Trust',
'Restrict automation file execution',
'Apply attack surface reduction rules in Defender for '
'Endpoint',
'Monitor Node.js outbound connections to suspicious '
'domains',
'Operationalize detection queries in Microsoft Sentinel'],
'references': [{'source': 'Microsoft Security Blog'}],
'response': {'containment_measures': ['Monitoring Node.js outbound '
'connections',
'Restricting automation file execution'],
'enhanced_monitoring': ['Microsoft Sentinel hunting queries',
'Defender for Endpoint monitoring'],
'remediation_measures': ['Enabling Visual Studio Code Workspace '
'Trust',
'Applying attack surface reduction '
'rules in Defender for Endpoint']},
'title': 'Microsoft Warns of Malicious Next.js Repositories Targeting '
'Developers',
'type': 'Supply Chain Attack',
'vulnerability_exploited': ['Node.js workflows',
'Visual Studio Code tasks.json',
'npm run dev execution']}