惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园_首页
T
The Blog of Author Tim Ferriss
罗磊的独立博客
The Register - Security
The Register - Security
IT之家
IT之家
D
Docker
爱范儿
爱范儿
Apple Machine Learning Research
Apple Machine Learning Research
Hugging Face - Blog
Hugging Face - Blog
博客园 - Franky
L
LangChain Blog
J
Java Code Geeks
博客园 - 三生石上(FineUI控件)
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
K
Kaspersky official blog
Latest news
Latest news
博客园 - 聂微东
酷 壳 – CoolShell
酷 壳 – CoolShell
Cyberwarzone
Cyberwarzone
人人都是产品经理
人人都是产品经理
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
MongoDB | Blog
MongoDB | Blog
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
DataBreaches.Net
Project Zero
Project Zero
H
Hackread – Cybersecurity News, Data Breaches, AI and More
G
Google Developers Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Check Point Blog
S
Schneier on Security
NISL@THU
NISL@THU
T
Tor Project blog
P
Proofpoint News Feed
N
News and Events Feed by Topic
Last Week in AI
Last Week in AI
N
Netflix TechBlog - Medium
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
U
Unit 42
C
Cybersecurity and Infrastructure Security Agency CISA
T
The Exploit Database - CXSecurity.com
L
LINUX DO - 最新话题
Help Net Security
Help Net Security
Blog — PlanetScale
Blog — PlanetScale

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
Fake 'interview' repos lure Next.js devs into running secret-stealing malware
2026-02-26 · via The Register - Security: Research

Next.js developers are once again in the crosshairs as hackers seed malicious repositories disguised as legitimate projects, according to Microsoft, which said a limited set of those repos were directly tied to observed compromises.

Microsoft said the repositories use different methods to execute on developers’ machines, but all lead to the same outcome: in-memory execution of malicious JavaScript.

All of the execution paths identified by its research team are designed to trigger during the Next.js devs' normal working routine. One, for example, abuses Visual Studio Code's workspace automation to load files as soon as the dev opens and trusts the project.

In these cases, the variants tend to retrieve a JavaScript loader from Vercel and execute it using Node.js, then begin beaconing to attacker-controlled command-and-control (C2) infrastructure for further tasking.

Other paths involve the targeted developers running the project's development server either directly or via npm run dev, where malicious logic embedded in trojanized assets or modified libraries (such as altered frontend files) retrieves and executes the loader. Others rely on victims starting the application's backend, triggering preloaded logic hidden in backend modules during server initialization or module import.

Regardless of the path taken, the end result is always to register the affected device, run the JavaScript loader, and establish a connection with the attacker's C2 infrastructure.

Using a separate C2 IP address and API set handed off by the initial stage, the controller retrieves a messages[] array of JavaScript tasks and executes them in memory using a separate Node interpreter to reduce on-disk artifacts.

This process also allows for data exfiltration. On developer machines, this could include anything from personal data to source code, secrets, or cloud resources.

Microsoft said the controller is capable of rotating its identifiers to prevent anti-malware solutions and human defenders from identifying patterns of suspicious activity, in addition to receiving the attacker's instructions.

The controller will also obey kill-switch or shutdown commands, track the processes it spawns to prevent the victim from suspecting anything is awry based on performance issues, and report error telemetry, allowing attackers to tweak the commands that fail.

The projects are disseminated by miscreants under the guise that they are used as part of the hiring process, requiring developers to complete tasks related to job applications.

And while it's difficult to imagine that targeted devs would complete these interview assessment tasks on a corporate machine, Microsoft warned that doing so could open up an organization to a wider compromise.

It added: "The key takeaway is that defenders should treat developer workflows as a primary attack surface and prioritize visibility into unusual Node execution, unexpected outbound connections, and follow‑on discovery or upload behavior originating from development machines." ®