Fake 'interview' repos lure Next.js devs into running secret-stealing malware

Next.js developers are once again in the crosshairs as hackers seed malicious repositories disguised as legitimate projects, according to Microsoft, which said a limited set of those repos were directly tied to observed compromises.

Microsoft said the repositories use different methods to execute on developers’ machines, but all lead to the same outcome: in-memory execution of malicious JavaScript.

All of the execution paths identified by its research team are designed to trigger during the Next.js devs' normal working routine. One, for example, abuses Visual Studio Code's workspace automation to load files as soon as the dev opens and trusts the project.

In these cases, the variants tend to retrieve a JavaScript loader from Vercel and execute it using Node.js, then begin beaconing to attacker-controlled command-and-control (C2) infrastructure for further tasking.

Other paths involve the targeted developers running the project's development server either directly or via ...