Reverse Engineering the Next.js Job Interview Malware (hidden in Next.config.js)

Postedabout 1 month agoActiveabout 1 month ago

dzentota

2 points

1 comments

dzentota.medium.comSecuritystory

informativenegative

Debate

40/100

Next.jsMalwareCybersecurityLastpass

Key topics

Next.js

Malware

Cybersecurity

Lastpass

Discussion Activity

Light discussion

First comment

48s

Peak period

0-1h

Avg / period

Key moments

01Story posted
Nov 30, 2025 at 3:08 PM EST
about 1 month ago
Step 01
02First comment
Nov 30, 2025 at 3:09 PM EST
48s after posting
Step 02
03Peak activity
1 comments in 0-1h
Hottest window of the conversation
Step 03
04Latest activity
Nov 30, 2025 at 3:09 PM EST
about 1 month ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 1 comments

dzentotaAuthor

about 1 month ago

OP here. This is a detailed analysis of a malware attack I recently encountered.

TL;DR: I was approached for a job on LinkedIn and asked to run a Next.js project. The malware wasn't in package.json dependencies but was triggered by next.config.js executing a fake jQuery file during npm run dev.

It dropped a Python RAT that targets LastPass vaults and crypto extensions. I managed to deobfuscate 65 layers of the payload to find the source code.

Happy to answer any questions about the analysis or the vectors used.

View full discussion on Hacker News

ID: 46099932Type: storyLast synced: 11/30/2025, 8:22:08 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN