They would include malicious packages intended to steal data from embedded forms (including those used for sign-in) to their applications or websites if they were duped by the confusingly identical module name system. Consider the over 17,000 downloads of icon-package, one of the malicious NPM packages utilized in this campaign that is intended to exfiltrate serialized form data to several attacker-controlled sites.
IconBurst “relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages,” ReversingLabs reverse engineer Karlo Zanki said. “Furthermore, similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor.”
On July 1, 2022, the ReversingLabs team contacted the NPM security team to disclose its discoveries, although certain harmful IconBurst packages are still accessible through the NPM registry. According to Zanki, most of the specified packages are still accessible for download at the time of writing this post, while a handful of them have been taken off of NPM. The attacks proceeded for months before coming to our attention because very few development firms have the capacity to identify malicious code within open-source libraries and modules.
The IconBurst supply-chain attack’s impact has yet to be determined, despite the researchers’ ability to compile a list of malicious packages used in it. This is because it is impossible to know how much data and login information has been stolen through infected websites and apps since December 2021. The statistics provided by ReversingLabs about the frequency with which each malicious NPM module has been installed are the sole metrics.
Zanki said that the malicious packages we identified are probably employed by hundreds, if not thousands, of downstream mobile and desktop programs as well as websites. The exact scope of this assault is yet unknown. Many desktop, mobile, and web sites are executing malicious malware packed with the NPM modules, capturing enormous quantities of user data. The identified NPM modules have been downloaded more than 27,000 times in total.