Microsoft Warns of Malicious Next.js Repos Targeting Developers in New Security Campaign

Microsoft’s security team says the campaign leverages compromised Next.js repositories on the public npm registry to deliver a back‑door payload to developers who install the packages, according to a detailed post on the Microsoft Security Blog dated Feb. 24. The researchers, identified as Microsoft Defender Experts and the Defender Security Research Team, traced the malicious code to a series of forked repositories that mimic legitimate Next.js starter projects. Each fork injects a small JavaScript module that, when executed, contacts a command‑and‑control server and attempts to exfiltrate environment variables, SSH keys and other credentials stored on the developer’s machine.

The blog explains that the attackers first obtained read‑only access to a popular open‑source repository, then used that foothold to create dozens of near‑identical forks that were published under slightly altered names. Because the forks inherit the original project’s star count and description, they appear trustworthy in npm’s search results. Once a developer runs npm install, the malicious module is pulled in as a transitive dependency, silently installing a remote‑access tool that can persist across system reboots. Microsoft’s analysis notes that the payload is lightweight—under 10 KB—and is obfuscated to evade static analysis tools, a tactic that mirrors recent supply‑chain attacks on the JavaScript ecosystem.

Microsoft’s advisory urges developers to verify the provenance of any Next.js starter kit before adding it to a project, to enable npm’s --audit feature, and to monitor for unexpected outbound network traffic from build environments. The company also recommends pinning dependencies to specific versions and employing a software‑bill‑of‑materials (SBOM) to track third‑party components. “These steps can dramatically reduce the attack surface for supply‑chain compromises,” the blog reads, echoing guidance that has become standard after the 2021 event that disrupted the broader Node.js community.

While the post focuses on the technical mechanics, the broader implication is a reminder that open‑source ecosystems remain attractive targets for nation‑state and financially motivated actors. The campaign’s use of a mainstream framework like Next.js—widely adopted for server‑rendered React applications—means the potential victim pool includes both individual freelancers and large enterprises that rely on rapid front‑end development. As Microsoft highlighted, the threat is not limited to the initial infection; compromised developer machines can become launch pads for lateral movement into corporate networks, especially when developers push code to cloud‑based repositories that grant downstream access to production environments.