Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Avatar
Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a “complex and persistent” supply chain attack. “This attack stands out due to the high variability across packages,” Phylum said in an analysis published last week. “The attacker has cleverly hidden the malware in the seldom-used ‘end’ function of

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a “complex and persistent” supply chain attack.

“This attack stands out due to the high variability across packages,” Phylum said in an analysis published last week.

“The attacker has cleverly hidden the malware in the seldom-used ‘end‘ function of jQuery, which is internally called by the more popular ‘fadeTo‘ function from its animation utilities.”

As many as 68 packages have been linked to the campaign. They were published to the npm registry starting from May 26 to June 23, 2024, using names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, among others.

There is evidence to suggest that each of the bogus packages were manually assembled and published due to the sheer number of packages published from various accounts, the differences in naming conventions, the inclusion of personal files, and the long time period over which they were uploaded.

This is unlike other commonly observed methods in which attackers tend to follow a predefined pattern that underscores an element of automation involved in creating and publishing the packages.

The malicious changes, per Phylum, have been introduced in a function named “end,” allowing the threat actor to exfiltrate website form data to a remote URL.

Further investigation has found the trojanized jQuery file to be hosted on a GitHub repository associated with an account called “indexsc.” Also present in the same repository are JavaScript files containing a script pointing to the modified version of the library.

“It’s worth noting that jsDelivr constructs these GitHub URLs automatically without needing to upload anything to the CDN explicitly,” Phylum said.

“This is likely an attempt by the attacker to make the source look more legitimate or to sneak through firewalls by using jsDelivr instead of loading the code directly from GitHub itself.”

The development comes as Datadog identified a series of packages on the Python Package Index (PyPI) repository with capabilities to download a second-stage binary from an attacker-controlled server depending on the CPU architecture.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

As Cyber Command evolves, its novel malware alert system fades away

Next Post

Cybersecurity Agencies Warn of China-linked APT40’s Rapid Exploit Adaptation

Related Posts

When is One Vulnerability Scanner Not Enough?

Like antivirus software, vulnerability scans rely on a database of known weaknesses. That’s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn’t existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speaking
Avatar
Read More