"The Microsoft Defender team says that the attacker created fake web app projects built with Next.js and disguised them as coding projects to share with developers during job interviews or technical assessments. The researchers initially identified a repository hosted on the Bitbucket cloud-based Git-based code hosting and collaboration service. However, they discovered multiple repositories that shared code structure, loader logic, and naming patterns."
"When the target clones the repository and opens it locally, following a standard workflow, they trigger malicious JavaScript that executes automatically when launching the app. The script downloads additional malicious code (a JavaScript backdoor) from the attacker's server and executes it directly in memory with the running Node.js process, allowing remote code execution on the machine."
"To increase the infection rate, the attackers embedded multiple execution triggers within the malicious repositories. VS Code trigger - A .vscode/tasks.json file set with runOn: 'folderOpen' executes a Node script as soon as the project folder is opened. Dev server trigger - When the developer runs npm run dev, a trojanized asset decodes a hidden URL, fetches a loader from a remote server, and executes it in memory."
A coordinated campaign targets software developers using fake Next.js projects disguised as legitimate coding assessments and job interview materials. Attackers host malicious repositories on platforms like Bitbucket that share similar code structures and naming patterns. When developers clone and open these repositories locally, multiple execution triggers activate malicious JavaScript automatically. The malware downloads a JavaScript backdoor from attacker servers and executes it in memory within the Node.js process, enabling remote code execution. Multiple triggers increase infection success rates, including VS Code folder opening, npm dev server startup, and backend initialization, allowing attackers to exfiltrate sensitive data and deploy additional payloads.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]