IconBurst: NPM software supply chain attack grabs data from apps, websites
ReversingLabs researchers recently discovered evidence of a widespread software supply chain attack involving malicious Javascript packages offered via the NPM package manager. Researchers at ReversingLabs identified more than two dozen NPM packages, dating back six months, that contain obfuscated Javascript designed to steal form data from individuals using applications or websites where the malicious packages had been deployed. Upon closer inspection, we discovered evidence of a coordinated supply chain attack, with a large number of NPM packages containing jQuery scripts designed to steal form data from deployed applications that include them. While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites. In one case, a malicious package had been downloaded more than 17,000 times. As with the recent (benign) dependency confusion attacks targeting German organizations, these clearly malicious attacks relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages. Attackers impersonated high-traffic NPM modules like umbrellajs and packages published by ionic.io. However, it is the end users of software (and their data) rather than development organizations that are the real targets. That makes this attack more comparable to the infamous SolarWinds compromise than to other, more recent supply chain compromises. Furthermore, similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor. Here’s detailed information on this widespread software supply chain attack, including known indicators of compromise (IOCs) associated with the attacks — and recommendations for remediating the threat posed by these malicious NPM modules.
The ReversingLabs research team is continuously monitoring open-source package repositories for instances of malicious code planting and software supply chain attacks. This work involves both automated and human-led scanning and analysis of packages published in the most popular public package repositories like NPM, PyPI, Ruby and NuGet. During these scans, we leverage our proprietary Titanium platform, and our deep file repository of goodware and badware to spot malicious and even suspicious elements hiding in plain view. Our newly released ReversingLabs secure.software solution builds upon that past work. The platform provides a way for dev and SOC teams to deeply examine their CI/CD workflows, containers and release packages to spot nascent or active software supply chain compromises. Frequently, our work turns up evidence of active software supply chain attacks. In April, we came across NPM packages that used a javascript obfuscator to hide their functionality. Our analysis of those packages produced proof of the simulated “dependency confusion” attacks on the software supply chain of leading German companies across a number of industries. We have been tracking NPM repositories for occurrences of packages that use the same obfuscator ever since. Here’s how tracking the usage of this obfuscation technique resulted in discovering several NPM accounts, which were used to publish malicious code designed to steal form data entered by end users of infected web applications.
