Malicious Next.js Repositories Target Developers in New Attack

A new coordinated attack campaign targeting developers has been uncovered by Microsoft Defender Experts, leveraging malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The campaign uses job-themed lures to blend into everyday developer workflows, increasing the likelihood of code execution on compromised systems.

Cyber kill chain model -Attack chain overview(Source: microsoft)

Initial Discovery and Scope Expansion

The investigation began when Microsoft Defender’s telemetry system detected suspicious outbound connections from Node.js processes to attacker-controlled command-and-control (C2) infrastructure. These connections led security analysts to a malicious Bitbucket-hosted repository, marketed as a recruiting-themed technical assessment. The repository, labeled “Cryptan-Platform-MVP1,” was not immediately recognized in security logs but shared distinctive features with other discovered repositories.

By examining repository contents, shared coding patterns, and naming conventions, analysts expanded the search to uncover additional malicious repositories. These repositories exhibited similar loader logic, staging infrastructure, and JavaScript execution mechanisms, pointing to a larger coordinated effort. The repositories were structured around repeated naming conventions and family patterns such as “Cryptan,” “JP-soccer,” and “SettleMint,” helping researchers identify further related repositories.

Multiple Execution Paths Leading to Remote Code Execution

Upon deeper investigation, analysts identified several attack vectors designed to trigger execution when developers interacted with the malicious repositories. The campaign’s primary goal is to execute attacker-controlled JavaScript on developer machines, facilitating remote access and data exfiltration. The execution paths are as follows:

• Visual Studio Code Workspace Execution: Several repositories used Visual Studio Code (VS Code) workspace automation to trigger JavaScript execution as soon as the developer opened the folder. The .vscode/tasks.json file contained a configuration that would execute a task automatically upon folder open, allowing the malware to fetch and execute JavaScript hosted on Vercel

node /Users/XXXXXX/.vscode/env-setup.js → https://price-oracle-v2.vercel.app

• Build-Time Execution: A second method triggered execution when developers manually ran the application using commands like npm run dev. Trojanized JavaScript libraries, such as modified versions of jquery.min.js, secretly loaded a malicious script during application development, once again pointing to Vercel-hosted payloads.

node server/server.js → https://price-oracle-v2.vercel.app

• Server Startup Execution: A third variant activated when developers started the backend application. Malicious logic embedded in server routes or environment variables would decode a base64-encoded URL, exfiltrate the environment variables, and execute JavaScript received in the response.

Server start → decode AUTH_API (base64) → POST process.env to attacker endpoint

Stage 1: Initial Registration and Profiling

After the initial execution, regardless of the attack vector, all variants led to Stage 1, a lightweight payload that established communication with the C2 infrastructure.

This script continuously polled a registration endpoint, profiling the host system and establishing an instance identifier (instanceId) that persisted across subsequent communications.

Stage 2: Persistent C2 and Tasking

Stage 2 represents a more persistent foothold, where the payload communicates with a separate C2 server to receive JavaScript tasking commands.

The controller uses a task queue to execute commands in memory, often performing reconnaissance activities such as directory browsing and data collection. It can also exfiltrate files through a multi-step upload process.

POST /upload → /uploadsecond → /uploadend

Attack Chain and Mitigation Strategies

The attack campaign, disguised as a legitimate technical assessment, targets developer systems that often contain sensitive assets such as source code, cloud credentials, and build resources. The key takeaway is the need for organizations to treat developer workflows as a primary attack surface and to ensure visibility into unusual Node.js execution patterns, unexpected outbound connections, and suspicious upload behaviors.

To mitigate these threats, Microsoft recommends several strategies:

• Hardening Developer Workflow Trust: Use VS Code’s Workspace Trust and Restricted Mode to block automatic code execution in untrusted repositories.
• Reduce Build-Time and Script Execution Risk: Implement Attack Surface Reduction rules to limit obfuscated script execution.
• Strengthen Authentication: Enforce strong authentication and conditional access to protect developer systems and prevent token theft.

By taking these actions, developers and organizations can reduce the risk of falling victim to similar campaigns in the future.

Conclusion:

This campaign highlights the growing sophistication of cyberattacks targeting software developers, blending into routine workflows to gain remote code execution and steal sensitive data. Through proactive monitoring and defense, organizations can better protect themselves against such stealthy threats.

For more IoC, refer to this source from Microsoft.