Hackers Exploit Next.js Repositories Targeting Developers

Software developers are facing a coordinated attack campaign using malicious repositories masked as legitimate Next.js projects and assessment materials. These attacks aim to infiltrate developer systems through job-related lures, enticing developers to clone and execute compromised code.

Deceptive Tactics and Remote Access

Hackers use fake recruitment challenges to trick developers into running harmful code that establishes a connection to attacker-controlled command-and-control (C2) infrastructure. This grants unauthorized access to the developer’s system and sensitive data.

The initial detection of this campaign came from unusual outbound network connections from Node.js processes on compromised developer devices. These processes pointed to known C2 IP addresses, prompting further investigation into the execution chains.

Identifying Malicious Repositories

Microsoft Defender Experts and the Microsoft Defender Security Research Team uncovered a broader network of related repositories. They identified clusters such as ‘Cryptan,’ ‘JP-soccer,’ ‘RoyalJapan,’ and ‘SettleMint,’ which shared code structures and naming patterns, aiding in tracing additional malicious repositories.

This attack poses particular risks to corporate development teams. Developer systems often have access to valuable assets like source code, cloud API keys, and database credentials. A single breach could expose an organization’s entire infrastructure.

Execution Paths and Preventative Measures

The campaign exploits three primary execution paths, all leading to the execution of attacker-controlled JavaScript. The first path abuses Visual Studio Code workspace automation, while the second path exploits npm server commands. The third path uses server startup scripts to transmit sensitive data and execute malicious JavaScript.

To mitigate these threats, developers should enable Visual Studio Code Workspace Trust and Restricted Mode. Organizations are advised to enforce attack surface reduction rules and implement strong authentication for developer accounts. Monitoring unusual Node.js connections is also recommended to detect potential compromises.

As attackers increasingly blend malicious code into routine workflows, this campaign highlights the evolving nature of software supply chain threats. Organizations must remain vigilant and proactive in securing their development environments.