OP here. This is a detailed analysis of a malware attack I recently encountered.
TL;DR: I was approached for a job on LinkedIn and asked to run a Next.js project. The malware wasn't in package.json dependencies but was triggered by next.config.js executing a fake jQuery file during npm run dev.
It dropped a Python RAT that targets LastPass vaults and crypto extensions. I managed to deobfuscate 65 layers of the payload to find the source code.
Happy to answer any questions about the analysis or the vectors used.
TL;DR: I was approached for a job on LinkedIn and asked to run a Next.js project. The malware wasn't in package.json dependencies but was triggered by next.config.js executing a fake jQuery file during npm run dev.
It dropped a Python RAT that targets LastPass vaults and crypto extensions. I managed to deobfuscate 65 layers of the payload to find the source code.
Happy to answer any questions about the analysis or the vectors used.