Attackers compromise Picreel and Alpaca forms to deploy malicious code on thousands of sites

• Attackers have embedded malicious code on thousands of websites by modifying JavaScript files on the infrastructure of Picreel and Alpaca Forms.
• The malicious code embedded in the Picreel script has been detected on 1,249 websites, while the Alpaca Forms script has been detected on 3,435 domains.

Attackers have compromised analytics service Picreel and open-source project Alpaca Forms to embed malicious code on over 4,600 websites.

The big picture

Sanguine Security founder Willem de Groot observed that attackers embedded malicious code on thousands of websites by modifying JavaScript files on the infrastructure of Picreel and Alpaca Forms.

Groot noted that both the hacks have been carried out by the same threat actor.

The malicious code embedded in the Picreel script has been detected on 1,249 websites, while the Alpaca Forms script has been detected on 3,435 domains.

• This embedded malicious code collects all data that users enter inside form fields such as checkout/payment pages, contact forms, and login sections.
• The collected information is then sent to a server located in Panama.

The response

Michael Uzquiano, CTO at Cloud CMS, the developer of Alpaco Forms, told ZDNet in an email that attackers have compromised only one Alpaca Forms JavaScript file on its CDN (Content delivery network).

• Cloud CMS has taken down the CDN that was serving the infected Alpaca Forms script.
• It is now investigating the incident and confirmed that there is no evidence of security breach or security issue with Cloud CMS, its customers or its products.