Security researchers have discovered a significant new software supply chain attack affecting thousands of applications and websites involving the use of malicious npm packages.
ReversingLabs found more than two dozen npm modules dating back six months. They contained obfuscated Javascript designed to steal form data from the apps they were deployed to.
Attackers appear to have used typosquatting techniques to trick developers into downloading their malicious packages.
They impersonated high-traffic npm modules like “umbrellajs,” renamed “umbrellaks,” and packages published by ionic.io.
“Packages created by the npm ionic-io author … show that the author published 18 versions of an npm package named ‘icon-package’ containing the malicious form stealing code,” ReversingLabs wrote.
“That was a glaring attempt to mislead developers into using this package instead of ‘ionicons,’ a popular, open source icon set with more than 1,000 icons for web, iOS, Android, and desktop apps.”
All the packages were designed to collect form data using jQuery Ajax functions and then exfiltrate that data to domains controlled by the threat actors.
The full extent of the campaign has yet to be revealed, but it already highlights systemic challenges facing developers who use open source components to accelerate time-to-market.
“It is clear that software development organizations as well as their customers need new tools and processes for assessing supply chain risks like the ones posed by these malicious npm packages. The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component,” argued ReversingLabs.
“The success of this attack – with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks – underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.”