Microsoft Warns of Malicious Next.js Repos

This campaign uses social engineering, disguising malicious repos as job interview coding challenges. Developers are tricked into cloning and running projects with names like "Cryptan-Platform-MVP1", which contain backdoors that grant attackers remote access to their high-value machines. The malware has multiple triggers, activating when a developer opens the folder in VS Code, runs `npm run dev`, or starts the server. Once active, it fetches a JavaScript payload that runs in memory, exfiltrates environment variables and cloud API keys, and establishes a connection to a command-and-control server for further instructions. This attack is part of a significant and growing trend targeting the software supply chain. Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase from 2021. The npm ecosystem is a frequent target due to its massive scale and interconnectedness. Recent major incidents highlight the potential blast radius. In September 2025, a phishing attack on a single maintainer led to the compromise of 18 popular npm packages like `chalk` and `debug`, which have over two billion combined weekly downloads. The malicious code, though live for only a few hours, was estimated to have reached 1 in 10 cloud environments. The primary goal of these campaigns is often the theft of credentials, API keys, and other secrets from developer environments. Another notable 2025 incident, the "Shai-Hulud" worm, was designed to steal cloud service tokens and then self-propagate by compromising other packages maintained by the infected developer. For engineering leaders, the key takeaway is the need for proactive defense beyond trusting package names. Enforcing the use of `npm ci` ensures builds are strictly based on a committed lockfile, preventing unexpected package versions from being introduced. This practice is a crucial guardrail against dependency-based attacks. Adopting more secure package managers like `pnpm` can fundamentally reduce risk by disabling arbitrary `postinstall` scripts by default—a common vector for malware execution. Further hardening the development environment involves using dev containers to isolate projects from the host machine, limiting the potential damage of a compromised dependency. Ultimately, the cost of these incidents isn't just the direct damage, but the thousands of engineering hours spent on incident response, auditing, and remediation. For managers, fostering a security-first mindset involves creating deliberate friction in the development process, such as delaying automatic dependency updates to allow time for community vetting of new package versions.