dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Avatar
info@thehackernews.com (The Hacker News)
July 9, 2024
Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a “complex and persistent” supply chain attack. “This attack stands out due to the high variability across packages,” Phylum said in an analysis published last week. “The attacker has cleverly hidden the malware in the seldom-used ‘end’ function of
Total
0
Shares
0
0
0

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a “complex and persistent” supply chain attack.

“This attack stands out due to the high variability across packages,” Phylum said in an analysis published last week.

“The attacker has cleverly hidden the malware in the seldom-used ‘end‘ function of jQuery, which is internally called by the more popular ‘fadeTo‘ function from its animation utilities.”

As many as 68 packages have been linked to the campaign. They were published to the npm registry starting from May 26 to June 23, 2024, using names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, among others.

There is evidence to suggest that each of the bogus packages were manually assembled and published due to the sheer number of packages published from various accounts, the differences in naming conventions, the inclusion of personal files, and the long time period over which they were uploaded.

This is unlike other commonly observed methods in which attackers tend to follow a predefined pattern that underscores an element of automation involved in creating and publishing the packages.

The malicious changes, per Phylum, have been introduced in a function named “end,” allowing the threat actor to exfiltrate website form data to a remote URL.

Further investigation has found the trojanized jQuery file to be hosted on a GitHub repository associated with an account called “indexsc.” Also present in the same repository are JavaScript files containing a script pointing to the modified version of the library.

“It’s worth noting that jsDelivr constructs these GitHub URLs automatically without needing to upload anything to the CDN explicitly,” Phylum said.

“This is likely an attempt by the attacker to make the source look more legitimate or to sneak through firewalls by using jsDelivr instead of loading the code directly from GitHub itself.”

The development comes as Datadog identified a series of packages on the Python Package Index (PyPI) repository with capabilities to download a second-stage binary from an attacker-controlled server depending on the CPU architecture.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

As Cyber Command evolves, its novel malware alert system fades away

July 9, 2024
Next Post

Cybersecurity Agencies Warn of China-linked APT40’s Rapid Exploit Adaptation

July 9, 2024
Related Posts
3 min

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation. "It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity
Avatar
info@thehackernews.com (The Hacker News)
September 3, 2024
Read More
3 min

Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign

A large-scale extortion campaign has compromised various organizations by taking advantage of publicly accessible environment variable files (.env) that contain credentials associated with cloud and social media applications. "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence
Avatar
info@thehackernews.com (The Hacker News)
August 16, 2024
Read More
2 min

New Malware PG_MEM Targets PostgreSQL Databases for Crypto Mining

Cybersecurity researchers have unpacked a new malware strain dubbed PG_MEM that's designed to mine cryptocurrency after brute-forcing their way into PostgreSQL database instances. "Brute-force attacks on Postgres involve repeatedly attempting to guess the database credentials until access is gained, exploiting weak passwords," Aqua security researcher Assaf Morag said in a technical report. "
Avatar
info@thehackernews.com (The Hacker News)
August 22, 2024
Read More