Postmortem: Our Next.js 15 App Was Hacked via a Third-Party npm Package A detailed breakdown of how a compromised dependency led to a full application breach, and how we hardened our supply chain. Incident Summary On October 12, 2024, our team detected unauthorized access to our production Next.js 15 application, which powers our e-commerce checkout flow. The breach originated from a malicious update to a third-party npm package we used for legacy image optimization, next-legacy-image-optimizer (v2.1.4), which had been compromised via a maintainer phishing attack. Timeline of Events October 10, 2024, 14:22 UTC: The legitimate maintainer of next-legacy-image-optimizer fell for a phishing email disguised as an npm security alert, handing over their 2FA credentials. October 10, 2024, 16:45 UTC: Attackers published a malicious v2.1.4 update to the package, injecting a cryptomining script and a backdoor that exfiltrated environment variables.…