Numerous Websites And Applications Affected by NPM Supply-Chain Attack 

Numerous Websites And Applications Affected by NPM Supply-Chain Attack 

Numerous malicious NPM modules with JavaScript code obfuscation were used in an NPM supply-chain attack that started in December 2021 to hack hundreds of websites and desktop applications. Researchers at supply chain security company ReversingLabs found that the threat actors behind this operation, known as IconBurst, infected developers searching for highly well-known packages like umbrellajs and ionic.io NPM modules by using typosquatting. 

They would include malicious packages intended to steal data from embedded forms (including those used for sign-in) to their applications or websites if they were duped by the confusingly identical module name system. Consider the over 17,000 downloads of icon-package, one of the malicious NPM packages utilized in this campaign that is intended to exfiltrate serialized form data to several attacker-controlled sites. 

IconBurst “relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages,” ReversingLabs reverse engineer Karlo Zanki said. “Furthermore, similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor.” 

On July 1, 2022, the ReversingLabs team contacted the NPM security team to disclose its discoveries, although certain harmful IconBurst packages are still accessible through the NPM registry. According to Zanki, most of the specified packages are still accessible for download at the time of writing this post, while a handful of them have been taken off of NPM. The attacks proceeded for months before coming to our attention because very few development firms have the capacity to identify malicious code within open-source libraries and modules. 

The IconBurst supply-chain attack’s impact has yet to be determined, despite the researchers’ ability to compile a list of malicious packages used in it. This is because it is impossible to know how much data and login information has been stolen through infected websites and apps since December 2021. The statistics provided by ReversingLabs about the frequency with which each malicious NPM module has been installed are the sole metrics. 

Zanki said that the malicious packages we identified are probably employed by hundreds, if not thousands, of downstream mobile and desktop programs as well as websites. The exact scope of this assault is yet unknown. Many desktop, mobile, and web sites are executing malicious malware packed with the NPM modules, capturing enormous quantities of user data. The identified NPM modules have been downloaded more than 27,000 times in total. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: