Microsoft Warns of Hackers Attacking Developers with Malicious Next.js Repositories

Software developers are being actively targeted by a coordinated attack campaign using malicious repositories that pose as authentic Next.js projects and technical evaluation materials This article explores malicious code computers. . The attackers use job-themed lures to trick developers into cloning and running malicious code on their own computers by posing as recruitment challenges.

The project silently connects to attacker-controlled command-and-control (C2) infrastructure after a developer runs it, giving hackers remote access to the developer's system and any private information kept on it. Suspicious outgoing network connections coming from Node.js processes on impacted developer computers were the initial indication of the campaign. A more thorough examination of the execution chains underlying those connections was necessary because these processes were repeatedly contacting known C2 IP addresses.

To prevent automatic code execution in unknown folders, developers should enable Visual Studio Code Workspace Trust and Restricted Mode. Stage 2 staged upload workflow was seen in telemetry (Source: Microsoft). In order to prevent the execution of obfuscated scripts, organizations should implement attack surface reduction rules, enforce strong authentication and conditional access for developer accounts, and refrain from keeping production credentials on development machines.

Every time a developer endpoint compromise is suspected, security teams should use DeviceNetworkEvents and DeviceProcessEvents hunting queries to keep an eye out for odd Node.js outbound connections and conduct identity risk triage. Set ZeroOwl as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.