Microsoft Warns of Malicious Next.js Repositories
Microsoft's security team has uncovered a targeted campaign using malicious Next.js repositories to compromise developer environments. The attack chain exploits trust in open-source packages to establish command-and-control. The report underscores the importance of vetting dependencies, using lockfiles, and monitoring for suspicious activity in CI/CD pipelines.
- The attack vector relied on social engineering, with malicious repositories disguised as technical assessments for job interviews and hosted on Bitbucket. Some variants were designed to execute automatically upon opening the project in Visual Studio Code by using the `runOn: "folderOpen"` setting within the `.vscode/tasks.json` file. - Microsoft's investigation began after Defender telemetry detected Node.js processes making suspicious outbound connections to known command-and-control (C2) IP addresses. The C2 infrastructure was multi-staged, starting with a lightweight registration beacon to identify the host before pivoting to a separate controller for persistent tasking and in-memory execution. - The malicious repositories shared consistent naming conventions, such as "Cryptan-Platform-MVP1," which allowed security analysts to identify a broader network of related repositories beyond the initial ones detected. - This incident is an example of a software supply chain attack, a trend that has grown to rival traditional exploits in frequency. Attackers increasingly target open-source package registries like npm and PyPI, abusing developer trust in automated build tools and the complex web of transitive dependencies. - A median JavaScript project has been found to have as many as 683 transitive dependencies, creating a vast attack surface that is difficult to audit manually. - The attackers' goal was to gain persistence on high-value developer systems to access source code, environment secrets, credentials, and infrastructure access keys. - A parallel trend in supply chain attacks involves compromising the CI/CD pipeline itself, with recent incidents showing threat actors exploiting misconfigured GitHub Actions to steal secrets. - To mitigate such threats in Next.js applications, security best practices include never using the `NEXT_PUBLIC_` prefix for sensitive environment variables, as this exposes them to the client-side bundle, and implementing a strict Content Security Policy (CSP) to control which resources can be loaded.
