Found out that our (small company's) VPS was compromised by a mining script, attacker probably exploited NextJS' RCE that I forgot to patch. The scripts were using half of the threads at 100%, i deleted all of them, found the watchdogs that kept recreating them and updated NextJS, luckily there was nothing to steal, now everything seems alright, but I'm thinking that I should format/rebuild everything just in case that I missed something.

I'm a junior dev with very little experience, I would appreciate any suggestion/advice

I would probably document, format and rebuild. Rotate secrets and inform anyone whose data might have been impacted.

Assume they compromised everything they would have access to by running code on the server.