Developer-targeting campaign using malicious Next.js repositories

A developer-targeting campaign leveraged malicious Next.js repositories to trigger a covert RCE-to-C2 chain through standard build workflows. The activity demonstrates how staged command-and-control can hide inside routine development tasks.
The post Developer-targeting campaign using malicious Next.js repositories appeared first on Microsoft Security Blog.

[A colorful graphic showing a radar scanning icon representing new detection and hunting guidance.]

Research

February 24

14 min read

Developer-targeting campaign using malicious Next.js repositories

By Microsoft Defender Experts and Microsoft Defender Security Research Team

Original source