A complex and persistent supply chain attack has been discovered, involving trojanized versions of jQuery distributed through npm, GitHub, and jsDelivr. This attack is notable for its high variability across packages and its sophisticated approach to embedding malware.
Between May 26 and June 23, 2024, unknown threat actors published 68 malicious packages on the npm registry with names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets. Unlike typical automated attacks, this campaign involved manually assembling and publishing each package. This method was evident due to the differences in naming conventions, the inclusion of personal files, and the long timeframe over which the packages were uploaded.
Phylum, a cybersecurity firm, reported that the attackers hid the malware in the seldom-used 'end' function of jQuery. This function is internally called by the popular 'fadeTo' function from jQuery's animation utilities, allowing the malware to exfiltrate website form data to a remote URL.
Further investigation revealed that the trojanized jQuery files were hosted on a GitHub repository associated with an account called "indexsc." The same repository contained JavaScript files pointing to the modified version of the library. By using jsDelivr, the attackers made the source appear more legitimate, potentially bypassing firewalls and security checks.
Key Details:
- Scope: 68 packages published between May 26 and June 23, 2024.
- Method: Manual assembly and publication, diverse naming conventions.
- Malware Function: Hidden in the 'end' function of jQuery, exfiltrating form data.
- Legitimacy Tactics: Utilization of jsDelivr to create seemingly legitimate GitHub URLs.
This incident highlights the evolving tactics of threat actors targeting supply chains, emphasizing the need for increased vigilance in software development and distribution.