Developer-targeting campaign using malicious Next.js repositories
Contents
Microsoft Defender Experts identified a coordinated developer-targeting campaign delivered through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Telemetry collected during this investigation indicates the activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution.
During initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises. Further investigation expanded the scope by reviewing repository contents, naming conventions, and shared coding patterns. These artifacts were cross-referenced against publicly available code-hosting platforms. This process uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.
Across these repositories, the campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control. An initial lightweight registration …
During initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises. Further investigation expanded the scope by reviewing repository contents, naming conventions, and shared coding patterns. These artifacts were cross-referenced against publicly available code-hosting platforms. This process uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.
Across these repositories, the campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control. An initial lightweight registration …
IoC
http://api-web3-auth.vercel.app/api/auth
http://vscodesettingtask.vercel.app
http://ip-check-notification-03.vercel.app/api
http://66.235.168.136
http://ip-checking-notification-kgm.vercel.app
http://ip-check-wh.vercel.app/api
http://ip-check-wh.vercel.app
http://87.236.177.9:3000/upload
http://ip-check-notification-rkb.vercel.app
http://ip-check-notification-firebase.vercel.app/api
http://api-web3-auth.vercel.app
http://oracle-v1-beta.vercel.app
http://price-oracle-v2.vercel.app
http://87.236.177.9:3000/api/errorMessage
http://public/assets/js/jquery.min.js
http://api.ipify.org/?format=json
http://monobyte-code.vercel.app
http://price-oracle-v2.vercel.app
http://ip-checking-notification-firebase111.vercel.app/api
http://ip-check-notification-firebase03.vercel.app
http://oracle-v1-beta.vercel.app/api/getMoralisData
http://87.236.177.9:3000/api/reportErrors
http://87.236.177.9:3000/uploadend
http://coredeal2.vercel.app
http://ip-check-notification-rkb.vercel.app/api
http://163.245.194.216
http://87.236.177.9:3000/api/handleErrors
http://87.236.177.9
http://87.236.177.9:3000/api/hsocketNext
http://ip-check-notification-firebase.vercel.app
http://coredeal2.vercel.app/api/auth
http://87.236.177.9:3000/uploadsecond
http://ip-checking-notification-firebase111.vercel.app
http://87.236.177.9:3000/api/hsocketResult
http://ip-check-notification-firebase03.vercel.app/api
https://price-oracle-v2.vercel.app
http://147.124.202.208
http://ip-check-notification-03.vercel.app
http://vscodesettingtask.vercel.app/api/settings/XXXXX
http://147.124.202.208:3000/api/reportErrors
163.245.194.216
87.236.177.9
66.235.168.136
147.124.202.208
449e2bf57ab4790427a3a7de3d98b6c540e76190a3d844de2f0e7b66be842b19
07ad8525844ce61471e08e8c515b76bf063bac482394152bad814026cd577f69
9ab4045654a6d97762f9ae8bb97d4ecf67fa53ab
13152dcb3be425e1ce0f085cd733121a4665cf9935cf8867738e3d510a80308a
e4d71aa95be0725c351e9d1d273d35ccdb0a8bdb31a57927c8738431b89788f5
6d59740d0710da370d5c38ddf88d6912487a1799e4ad09b72d764a3d27ed16b3
ddd43e493cb333c1cc5d7cd50a6a5a61ecd89cfa5f4076f62c2adf96748b87f8
http://vscodesettingtask.vercel.app
http://ip-check-notification-03.vercel.app/api
http://66.235.168.136
http://ip-checking-notification-kgm.vercel.app
http://ip-check-wh.vercel.app/api
http://ip-check-wh.vercel.app
http://87.236.177.9:3000/upload
http://ip-check-notification-rkb.vercel.app
http://ip-check-notification-firebase.vercel.app/api
http://api-web3-auth.vercel.app
http://oracle-v1-beta.vercel.app
http://price-oracle-v2.vercel.app
http://87.236.177.9:3000/api/errorMessage
http://public/assets/js/jquery.min.js
http://api.ipify.org/?format=json
http://monobyte-code.vercel.app
http://price-oracle-v2.vercel.app
http://ip-checking-notification-firebase111.vercel.app/api
http://ip-check-notification-firebase03.vercel.app
http://oracle-v1-beta.vercel.app/api/getMoralisData
http://87.236.177.9:3000/api/reportErrors
http://87.236.177.9:3000/uploadend
http://coredeal2.vercel.app
http://ip-check-notification-rkb.vercel.app/api
http://163.245.194.216
http://87.236.177.9:3000/api/handleErrors
http://87.236.177.9
http://87.236.177.9:3000/api/hsocketNext
http://ip-check-notification-firebase.vercel.app
http://coredeal2.vercel.app/api/auth
http://87.236.177.9:3000/uploadsecond
http://ip-checking-notification-firebase111.vercel.app
http://87.236.177.9:3000/api/hsocketResult
http://ip-check-notification-firebase03.vercel.app/api
https://price-oracle-v2.vercel.app
http://147.124.202.208
http://ip-check-notification-03.vercel.app
http://vscodesettingtask.vercel.app/api/settings/XXXXX
http://147.124.202.208:3000/api/reportErrors
163.245.194.216
87.236.177.9
66.235.168.136
147.124.202.208
449e2bf57ab4790427a3a7de3d98b6c540e76190a3d844de2f0e7b66be842b19
07ad8525844ce61471e08e8c515b76bf063bac482394152bad814026cd577f69
9ab4045654a6d97762f9ae8bb97d4ecf67fa53ab
13152dcb3be425e1ce0f085cd733121a4665cf9935cf8867738e3d510a80308a
e4d71aa95be0725c351e9d1d273d35ccdb0a8bdb31a57927c8738431b89788f5
6d59740d0710da370d5c38ddf88d6912487a1799e4ad09b72d764a3d27ed16b3
ddd43e493cb333c1cc5d7cd50a6a5a61ecd89cfa5f4076f62c2adf96748b87f8