Cryptominer Script Injected Into Next.js App Folder
Answered
Spectacled Caiman posted this in #help-forum
Spectacled CaimanOP
Hi, I want to ask whether there are any known security vulnerabilities in Next.js that could lead to a server being compromised.
I have been running this server for almost a year and found no issue. Today, 5 December, I had two separate Tencent Cloud Lighthouse instances hacked, each hosting a different Next.js project. In both cases, an identical malicious script named
The script was executing xmrig-6.24, a crypto mining. These two projects were on two completely separate Tencent Cloud accounts, both with MFA enabled.
I’m currently investigating with Tencent Cloud, but I want to check from the Next.js side as well:
Questions:
Are there any known recent / active security vulnerabilities in Next.js that could allow attackers to plant and run arbitrary
Any insights or guidance would be greatly appreciated. Thank you.
I have been running this server for almost a year and found no issue. Today, 5 December, I had two separate Tencent Cloud Lighthouse instances hacked, each hosting a different Next.js project. In both cases, an identical malicious script named
sex.sh was placed inside the NextJS project.The script was executing xmrig-6.24, a crypto mining. These two projects were on two completely separate Tencent Cloud accounts, both with MFA enabled.
I’m currently investigating with Tencent Cloud, but I want to check from the Next.js side as well:
Questions:
Are there any known recent / active security vulnerabilities in Next.js that could allow attackers to plant and run arbitrary
.sh files?Any insights or guidance would be greatly appreciated. Thank you.
6 Replies
Spectacled CaimanOP
Which version?
Spectacled CaimanOP
Exactly, thank you!