An NPM supply-chain attack has been spotted using dozens of malicious NPM modules containing obfuscated JavaScript code. The goal is to compromise downstream desktop apps and websites.
The supply-chain attack
A researcher from ReversingLabs spotted that attackers behind a campaign (IconBurst) used typosquatting to infect developers seeking popular packages, such as ad ionic[.]io and umbrellajs NPM modules.
- If tricked by a similar module naming scheme, the developers would add malicious packages created to steal data from embedded forms (used for sign-in) to their apps or websites.
- For example, one of the malicious NPM packages used (icon-package) has over 17,000 downloads. It is created to steal serialized form data to multiple attacker-controlled domains.
Further, researchers have observed similarities between the domains used to exfiltrate information implying that the different modules used in this campaign are controlled by a single threat actor.
More insights
- When the team of researchers tried to contact the NPM security team on July 1 to report their findings, some IconBurst malicious packages were still available on the NPM registry.
- All the NPM modules detected by researchers have been altogether downloaded more than 27,000 times.
- As only a few development organizations can spot malicious code within open source modules and libraries, the attacks stayed hidden for months.
Conclusion
The full extent of this attack is still not known, although the malicious packages are believed to be used by hundreds of users. Thus, software development organizations and their customers require new processes and tools for stopping supply-chain risks posed by recent malicious NPM packages.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/482d_shutterstock_789423511.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e198_shutterstock_442094683.jpg)
