Malicious Next.js repositories target software developers

A coordinated campaign is targeting software developers using malicious repositories that mimic legitimate Next.js projects for job interviews and technical assessment materials, according to Microsoft. The attackers aim to achieve remote code execution on developer machines, steal sensitive data, and deploy further malicious payloads, as reported by Bleeping Computer.

The attackers create fake Next.js projects, a popular JavaScript framework, and host them on platforms like Bitbucket. When a developer clones a repository and opens it locally, malicious JavaScript executes automatically. This script downloads a JavaScript backdoor from an attacker-controlled server and runs it in memory via the Node.js process, enabling remote code execution. Multiple triggers are embedded to increase infection rates, including a VS Code task that runs on folder open, a dev server trigger that fetches a loader when "npm run dev" is executed, and a backend startup trigger that exfiltrates environment variables and executes received JavaScript. The initial payload profiles the host and registers with a command-and-control server, later upgrading to a tasking controller that can enumerate files, browse directories, and exfiltrate data.

This campaign highlights the significant risk posed by seemingly standard developer workflows. Microsoft recommends developers implement VS Code Workspace Trust, utilize Attack Surface Reduction rules, and monitor for risky sign-ins. Minimizing secrets on developer endpoints and employing short-lived tokens with the least privilege are crucial mitigation strategies to protect against such sophisticated supply chain attacks.

Source: Bleeping Computer