Phylum uncovers large-scale trojanized jQuery attacks targeting npm, GitHub, and CDNs. Malicious actors steal user form data through a modified jQuery library. Learn how to stay safe and protect your website.
Researchers at software supply chain security firm, Phylum, have uncovered a persistent supply chain attack targeting developers who use the popular JavaScript library jQuery. According to researchers, attackers have published trojanized versions of jQuery in dozens of packages under multiple npm accounts.
Phylum has been monitoring this ‘persistent attacker’ since May 26, 2024. The malicious jQuery variant was first discovered on npm and later on GitHub and a CDN-hosted resource on jsDelivr.
This attack stands out due to its unconventional nature. Unlike typical supply chain attacks with automated scripts, attackers here carefully crafted individual packages containing legitimate jQuery code with a slight but critical modification. Its high variability across packages and longer timeframe, suggest manual assembly and publication of each package.
The attacker smartly concealed the malware in the lesser-used ‘end’ function of jQuery, internally called by the fadeTo function from its animation utilities. The malicious twist lies in the alteration of the end function within the jQuery library.
This function, typically used to return the previous state in a chain of operations, was modified to send user form data to a remote server. This means whenever the end function is called, all form data on the page, potentially including login credentials, search queries, or other sensitive information, is exfiltrated to the attacker.
“The exfiltration URLs were almost unique for each package, and the attacker published to npm under new usernames,” researchers explained in the blog post.
The malware triggers when a user installs a malicious package, uses a trojanized jQuery file, and invokes either the end function or fadeTo function. While the end function itself might not be widely used directly, it becomes concerning when considering its role within the fadeTo animation method, a commonly used feature in jQuery. This means any website using the fadeTo animation with the trojanized library could be unknowingly leaking user data.
Phylum researchers discovered several versions of the trojanized jQuery hosted on GitHub by a user named “indexsc” and even found it embedded within a script attempting to manipulate the version of the Ionicons library. This script not only injects a vulnerable version of Ionicons but also loads another trojanized jQuery file.
To stay safe, update npm packages relying on jQuery immediately to ensure clean, unmodified libraries. Audit third-party code hosted on GitHub or other platform scout their functionality and origin before integrating them into your project.
RELATED TOPICS
- Luna Grabber Malware Hits Roblox Devs Through npm Packages
- Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
- CISA warns of trojanized versions of JavaScript library’s NPM package
- NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package
- VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools