A coordinated campaign targets software developers by publishing malicious Bitbucket repositories disguised as legitimate Next.js projects and technical assessment materials, including coding tests. When developers clone and open these repos, embedded triggers (VS Code folderOpen tasks, npm dev assets, or backend startup code) execute JavaScript loaders that fetch in-memory backdoors enabling remote code execution, data exfiltration, and staged payload delivery. #Nextjs #Bitbucket
Keypoints
- Attackers publish fake Next.js projects and recruiting materials to lure developers into cloning repositories.
- Multiple execution triggers are embedded: VS Code tasks.json with runOn:βfolderOpenβ, trojanized dev-server assets invoked by npm run dev, and backend startup code reading .env values.
- Malicious JavaScript loaders download a backdoor and execute it in-memory within the Node.js process to achieve remote code execution.
- The payload stages include host profiling and C2 registration (Stage 1) then a tasking controller (Stage 2) that executes JavaScript, enumerates files, and supports staged exfiltration.
- Mitigations include enforcing VS Code Workspace Trust/Restricted Mode, applying Attack Surface Reduction rules, monitoring risky sign-ins with Entra ID Protection, and minimizing long-lived secrets on developer endpoints.