π¨ My Next.js app got hacked β and here is what I learned.
This week, I discovered something alarming inside my production environment for rmbg.pro, my image background-removal app.
My Next.js container (running on Alpine) was being targeted by a malware dropper.
It attempted to download and execute a bot from a suspicious IP (176.117.107.154), override LD_PRELOAD, and run binaries like busybox and x86.
The attack caused repeated crashes and instability inside the container β but fortunately, no data leak.
After digging deeper, it became clear that the issue wasnβt from my application logic, but from the environment:
Possible vulnerable dependency allowing remote command execution
Or a supply-chain script running during build
Or a host-level compromise propagating into containers
π₯ This is where Trae EDI saved the day.
With Trae EDIβs help, we:
π Rebuilt the Docker image using a multi-stage minimal node:20-alpine approach
π
ββοΈ Removed root access and now run the app as a non-root Next.js user
π« Disabled all risky postinstall hooks with npm ci --ignore-scripts
π¦ Shipped only the production-ready .next/standalone build
π§Ό Removed all tools typically abused by malware (wget, curl, busybox, shell utilities)
π‘ Blocked outbound access to unknown IPs
π Rotated all secrets (SMTP, API keys, tokens)
π Started dependency auditing + better CI security
These changes completely hardened the container, reduced the attack surface, and stopped the malicious process from running again.
β A big THANK YOU to Trae EDI
for the deep analysis, clear explanations, and fast remediation.
Your guidance helped secure my infrastructure and protect rmbg.pro from further threats.
π¬ Final Thought
If you're hosting Next.js apps on Docker/Alpine, donβt underestimate supply-chain attacks.
Run non-root, disable lifecycle scripts, restrict egress, and keep your host clean.
Stay safe & secure! π
moez cherif
Posted on
π¨ My Next.js app got hacked
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (1)
I wonder if it is related to the new 10.0 vulnerability found in Next.js (CVE-2025-66478), which originated from upstream React vulnerability that allowed remote code execution.