Developers Targeted by Fake Next.js Repositories Delivering In-Memory Malware
A sophisticated cyber campaign is actively targeting software developers by deploying malicious repositories disguised as legitimate Next.js projects. These deceptive repositories are designed to trick developers into executing harmful code, thereby granting attackers persistent access to compromised systems.
According to the Microsoft Defender Security Research Team, this campaign aligns with broader threats that utilize job-themed lures to seamlessly integrate into standard developer workflows, increasing the likelihood of code execution. The attackers employ multiple entry points, all leading to the execution of attacker-controlled JavaScript at runtime, facilitating command-and-control (C2) operations.
Methods of Attack:
1. Visual Studio Code Workspace Execution: Malicious Visual Studio Code (VS Code) projects are configured to automatically run harmful code upon opening and trusting the project. This is achieved through the `runOn: folderOpen` setting, which triggers the execution of code retrieved from a Vercel domain.
2. Build-Time Execution During Application Development: When developers run the development server using commands like `npm run dev`, the execution of malicious code embedded within modified JavaScript libraries, such as those masquerading as `jquery.min.js`, is initiated. This code fetches a JavaScript loader hosted on Vercel, which is then executed in memory by Node.js.
3. Server Startup Execution via Environment Exfiltration and Dynamic Remote Code Execution: Launching the application backend triggers concealed malicious loader logic within a backend module or route file. This loader transmits the process environment to an external server and executes JavaScript received in response, all within the Node.js server process.
In all three scenarios, the executed JavaScript payload profiles the host system and periodically communicates with a registration endpoint to obtain a unique instanceId identifier. This identifier is used in subsequent communications to correlate activities. The payload can also execute server-provided JavaScript in memory, paving the way for a second-stage controller that establishes persistent access by contacting a different C2 server and executing tasks in memory, thereby minimizing traces on disk.
Broader Context:
While Microsoft has not attributed this activity to a specific threat actor, the tactics observed—such as the use of VS Code tasks and Vercel domains to stage malware—are reminiscent of methods employed by North Korea-linked hackers in the Contagious Interview campaign. The primary objective of these efforts is to deliver malware to developer systems, which often contain sensitive data like source code, secrets, and credentials, providing opportunities to infiltrate deeper into target networks.
Recommendations for Developers:
To mitigate the risks associated with such attacks, developers and organizations are advised to:
– Harden Developer Workflow Trust Boundaries: Implement strict controls over the sources and integrity of code and repositories integrated into development workflows.
– Enforce Strong Authentication and Conditional Access: Utilize robust authentication mechanisms and conditional access policies to prevent unauthorized access.
– Maintain Strict Credential Hygiene: Regularly update and manage credentials to minimize the risk of unauthorized access.
– Apply the Principle of Least Privilege: Ensure that developer accounts and build identities have only the necessary permissions required for their roles.
– Separate Build Infrastructure: Where feasible, isolate build environments to prevent potential compromises from affecting production systems.
This campaign underscores the importance of vigilance and proactive security measures in the software development lifecycle to protect against sophisticated supply chain attacks.
