A coordinated attack campaign is actively targeting software developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. <\/p>\n
The attackers rely on job-themed lures, presenting fake recruitment challenges that convince developers to clone and run poisoned code on their own machines. <\/p>\n
Once a developer executes the project, it silently connects to attacker-controlled command-and-control (C2) infrastructure, granting hackers remote access to the developer\u2019s system along with any sensitive data stored on it.<\/p>\n
The campaign was first spotted through suspicious outbound network connections originating from Node.js processes on affected developer machines. <\/p>\n
These processes were repeatedly reaching out to known C2 IP addresses, which prompted a deeper review of the execution chains behind those connections. <\/p>\n
By correlating network activity with process telemetry, analysts traced the Node.js execution back to malicious repositories, including one hosted on Bitbucket presented as a recruiting-themed technical assessment<\/a> and another using the naming convention \u201cCryptan-Platform-MVP1.\u201d<\/p>\n Microsoft Defender Experts and the Microsoft Defender Security Research Team identified a broader cluster<\/a> of related repositories by pivoting on shared code structure, loader logic, and naming patterns. <\/p>\n Repository families such as \u201cCryptan,\u201d \u201cJP-soccer,\u201d \u201cRoyalJapan,\u201d and \u201cSettleMint\u201d carried near-duplicate variants labeled v1, master, demo, platform, and server. <\/p>\n This consistent structure helped analysts uncover additional repositories not referenced in observed telemetry but exhibiting the same execution logic and staging infrastructure.<\/p>\n The scale of this campaign makes it particularly dangerous for development teams operating in corporate environments. <\/p>\n Developer machines routinely hold access to high-value assets including source code, environment secrets, cloud API keys, database credentials, and build pipelines. <\/p>\n When untrusted code runs on a corporate device, a single compromise can quickly extend beyond one endpoint and potentially expose an organization\u2019s entire infrastructure.<\/p>\n This campaign reflects a calculated shift in how attackers approach software supply chain threats. <\/p>\n By embedding malicious behavior inside what appears to be a normal project, hackers can achieve reliable code execution<\/a> while blending into routine developer workflows, making this a significant threat to development teams worldwide.<\/p>\n All three execution paths in this campaign lead to the same result: runtime retrieval and in-memory execution of attacker-controlled JavaScript. <\/p>\n The first path abuses Visual Studio Code workspace automation. When a developer opens and trusts a project folder, the\u00a0 After execution, the script begins beaconing to attacker-controlled infrastructure.<\/p>\n The second path fires when a developer starts the development server using\u00a0 The third path triggers on server startup, where malicious backend routes decode a hidden base64 endpoint from a\u00a0 Once any of these paths fires, a lightweight Stage 1 payload profiles the host and begins polling the C2 server at fixed intervals. <\/p>\n Stage 2 then takes over, providing persistent operator-driven tasking, directory browsing, sensitive file collection, and staged uploads of stolen data to attacker infrastructure.<\/p>\n Developers should enable Visual Studio Code Workspace Trust and Restricted Mode to block automatic code execution in unknown folders. <\/p>\n Organizations should apply attack surface reduction rules to prevent obfuscated script<\/a> execution, enforce strong authentication and conditional access for developer accounts, and avoid storing production credentials on development machines. <\/p>\n Security teams should monitor for unusual Node.js outbound connections using\u00a0 Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Microsoft Warns of Hackers Attacking Developers with Malicious Next.js Repositories<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThree Entry Points, One Shared Backdoor<\/strong><\/h2>\n
.vscode\/tasks.json<\/code>\u00a0file is pre-configured with\u00a0runOn: \"folderOpen,\"<\/code>\u00a0immediately triggering a Node.js script that fetches a JavaScript loader from a Vercel-hosted staging endpoint. <\/p>\n![\"Telemetry](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhOmQtQNDU9jUkuk0diJ6Yo_P63z8CQSpnStoE_paXQIDb2ws9vzVPgbmVQ8c3HvUTCJfPxXxj1n2qO7gySo6reEkZTyT43BOdOhTwxrDBmm8msSBZLAXBws5RyXZDwxDlap5zve14ohMYZh8aZa9wnl4t6V9cS-z2RC-z1cBscO5DX1mNSA95Pi0uSv5A\/s16000\/Telemetry%2520showing%2520a%2520VS%2520Code-adjacent%2520Node%2520script%2520initiating%2520outbound%2520access%2520to%2520a%2520Vercel%2520staging%2520endpoint%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
npm run dev<\/code>. Trojanized assets, such as a modified\u00a0jquery.min.js<\/code>, decode a base64-encoded URL and retrieve the same JavaScript loader from Vercel. <\/p>\n![\"Telemetry](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOhJQQMtolTSvLhd6LVYEdGfpjHZtChHfrLFEnwQGMQHSqUp6CakfOxp_I0RBkQbsjVb1zThqiI8wL5-QAoypdO_L3cxpU-nfOcEHhnZP3Mtk0O1c7GWaTlrGheH_XiGR-P6doQ0IpthF_Ats1pNMC0QrbQnka0qkHXT6a8wO4jD_4QnLLU_JvqAV7Glg\/s16000\/Telemetry%2520showing%25C2%25A0node%2520server%2520-%2520server.js%25C2%25A0reaching%2520out%2520to%2520a%2520Vercel-hosted%2520staging%2520endpoint%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
.env<\/code>\u00a0file, transmit the full process environment \u2014 including cloud API keys and access tokens \u2014 to the attacker, and execute attacker-supplied JavaScript via dynamic compilation.<\/p>\n![\"Backend](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgcQNnRAnyWiiaOKurPsP0mfGd_F_pJaINM5e3hKGlB1K28p2bk0yo2lmE33wl2ZjL_Lggha2n5STR7ok6cP1tTzZn5IMpSOEuBarnezl3bz7OCJ7gz9rYgcRvW4Smb0ss-lWx0CUnERS7AURrjERUxDSaSZFQNrwK6yQ0JAi1M2JLehPx1Ek92owbto2s\/s16000\/Backend%2520server%2520startup%2520path%2520where%2520a%2520module%2520import%2520decodes%2520a%2520base64%2520endpoint%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
![\"Stage](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjqG9SgQG2uy_bVSjsoVpBoBzqHp4IvvHRfZPSeSDYN5FBLWTwgr-mRE7UvlIN-wsGWMuH7fFIU2E5sJ3Z56aGjO-xc7YTJeJv8rdf95cro7Z0tuCHQHLkklaYOJYk6e-V7yUAnJHgfF7VMn7pacOUBkYkEONF5P_kXh77zPfAl8SaTVS34H1ObwA9B2Bc\/s16000\/Stage%25201%2520registrar%2520payload%2520retrieved%2520at%2520runtime%2520and%2520executed%2520by%2520Node.js%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
![\"Stage](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiowuzivTma9ldKdvH4U0drc10ylb-8CjhA3Sa0EDrLpkbN8s9rNvXYQse3LsQoOqtvNUEq8WaDVdIkMZnJWEajQnhteqO5sCSFd8nTnoBr-DV5fL_hlZKGP0kXw-e9WofiXmaq7N3JpgYere-P0STbfnMAz_16a1HJ9V-hr56IQhRg2i2ommB0Nh7veeI\/s16000\/Stage%25202%2520staged%2520upload%2520workflow%2520observed%2520in%2520telemetry%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
DeviceNetworkEvents<\/code>\u00a0and\u00a0DeviceProcessEvents<\/code>\u00a0hunting queries, and perform identity risk triage whenever a developer endpoint compromise is suspected.<\/p>\n