A developer-targeting campaign leveraged malicious Next.js repositories to trigger a covert RCE-to-C2 chain through standard build workflows. The activity demonstrates how staged command-and-control can hide inside routine development tasks.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Microsoft Defender Experts uncovered a coordinated attack campaign targeting developers via malicious Next.js repositories disguised as legitimate job assessment projects. The campaign uses three execution paths: VS Code workspace automation (.vscode/tasks.json with runOn folderOpen), trojanized build-time assets like jquery.min.js triggered during npm run dev, and backend module imports that exfiltrate environment variables and execute attacker-supplied JavaScript via dynamic compilation. All paths converge on a two-stage C2 architecture: Stage 1 registers the host and bootstraps in-memory code, while Stage 2 provides persistent operator-controlled tasking, directory enumeration, and staged file exfiltration. The post includes detailed indicators of compromise (Vercel-hosted staging domains, C2 IP addresses, file paths), Microsoft Defender XDR detection coverage, and KQL hunting queries for identifying affected systems.

Developer-targeting campaign using malicious Next.js repositories

Multiple execution paths leading to a shared backdoor