"Microsoft said the repositories use different methods to execute on developers' machines, but all lead to the same outcome: in-memory execution of malicious JavaScript. All of the execution paths identified by its research team are designed to trigger during the Next.js devs' normal working routine."
"Regardless of the path taken, the end result is always to register the affected device, run the JavaScript loader, and establish a connection with the attacker's C2 infrastructure. Using a separate C2 IP address and API set handed off by the initial stage, the controller retrieves a messages[] array of JavaScript tasks and executes them in memory using a separate Node interpreter to reduce on-disk artifacts."
"This process also allows for data exfiltration. On developer machines, this could include anything from personal data to source code, secrets, or cloud resources. Microsoft said the controller is capable of rotating its identifiers to prevent anti-malware solutions and human defenders from detection."
Microsoft identified a campaign targeting Next.js developers through fake repositories designed to execute malicious JavaScript in memory. The attack uses multiple execution paths that trigger during normal development activities, such as opening projects in Visual Studio Code or running development servers. All variants retrieve a JavaScript loader and establish connections to attacker-controlled command-and-control infrastructure. The malware executes tasks in memory using a separate Node interpreter to minimize disk artifacts and can exfiltrate sensitive data including source code, secrets, and cloud resources. The controller rotates identifiers to evade security solutions.
#nextjs-security #supply-chain-attack #malware-distribution #developer-targeting #in-memory-execution
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]