Researchers have uncovered a software supply-chain attack involving packages hosted on the Node Package Manager (npm), which is the package manager for the Node.js JavaScript platform. The campaign leveraged malicious npm modules in order to harvest sensitive data from forms that were embedded in various mobile applications and websites.
Researchers with ReversingLabs found that more than two dozen npm packages, with some dating back to at least December 2021, contained code designed to steal form data from end users of the applications or websites that were deploying the malicious packages. The full extent of the attack isn’t known, said researchers, but the malicious packages are likely used by hundreds of downstream applications and websites. The npm modules identified as part of the campaign have been collectively downloaded more than 27,000 times, said researchers.
“Upon closer inspection, we discovered evidence of a coordinated supply chain attack, with a large number of npm packages containing jQuery scripts designed to steal form data from deployed applications that include them,” said Karlo Zanki, reverse engineer at ReversingLabs in a Tuesday analysis.
ReversingLabs reached out to the npm security team to report the findings on July 1. However, while a few of the malicious packages have been removed from npm, most are still available for download at the time of the report, they said. As of Tuesday, the list of malicious packages that have been removed is constantly changing as the npm security team is pulling down packages, and the actor is still actively publishing new ones, said Tomislav Pericin, chief software architect with ReversingLabs.
Researchers first uncovered the malicious npm packages after detecting that they were using an obfuscation and encoding tool that is aimed at protecting the code of JavaScript applications from being stolen or reverse engineered.
"Despite the respectable bona fides of javascript obfuscator and its laudable purpose, our past research revealed several instances of malicious packages using this tool to disguise malicious code," said researchers. "At this point, every encounter with such behavior requires a closer look."
In this campaign, threat actors used typo-squatting in order to impersonate high-traffic modules, by using names of packages in public repositories that are similar to (or have a common misspelling of) legitimate packages. For instance, they mimicked packages published by the legitimate and popular open-source icon set, ionicons, by publishing 18 versions of an npm package named icon-package under the author name ionic-io. This malicious icon-package has over 17,000 downloads, said researchers. Beyond typo-squatting the names of the npm packages, attackers also passed the exfiltrated data through a domain (ionicio[.]com) that impersonated the legitimate ionicons framework (ionic[.]io), complete with a fake webpage that looked similar to the real one.
"Upon closer inspection, we discovered evidence of a coordinated supply chain attack, with a large number of npm packages containing jQuery scripts designed to steal form data from deployed applications that include them."
“Under the hood, the malicious packages use a modified script that extends the behavior of the jQuery ajax() function to exfiltrate serialized form data to domains controlled by the attacker,” said researchers. “Prior to sending the data, the function validates the URL content to perform target filtering checks.”
Researchers said all the malicious packages collected form data using these jQuery Ajax functions in a similar manner, and then ultimately exfiltrated that data to various domains controlled by malicious authors. Pericin said, depending on the variant of the malicious package, the actor targeted credentials for the PUBG game series, general login forms, and, in the most extreme case, all web page form data.
The campaign appears to have evolved; starting in May, the attackers switched course to mimic other popular UI frameworks beyond ionicons, with a malicious package named umbrellaks, which used typo-squatting to impersonate the umbrellajs JavaScript document object model (DOM) manipulation framework. Similarities between the domains used to exfiltrate data led researchers to conclude that the various modules in the campaign were controlled by a single actor.
The campaign once again sheds light on software supply-chain security issues previously highlighted by incidents like the SolarWinds breach. Attackers in this campaign leveraged the decentralized nature of application development to their advantage, and researchers stressed that software development organizations and their customers need new processes for assessing supply-chain risks. At the same time, npm modules are typically a valuable target for attackers due to their level of popularity with developers.
Malicious npm packages have been discovered frequently over the past year, as seen in another, recent campaign in March where researchers uncovered activity by an attacker uploading more than 200 malicious npm packages that were designed to steal personally identifiable information. However, while this more recent campaign targeted software end users, the March campaign targeted npm developers looking for Azure tools.
In this campaign, “it is the end users of software (and their data) rather than development organizations that are the real targets,” said Zanki. “That makes this attack more comparable to the infamous SolarWinds compromise than to other, more recent supply chain compromises.”