Security researchers have discovered a significant new software supply chain attack affecting thousands of applications and websites involving the use of malicious npm packages.

ReversingLabs found more than two dozen npm modules dating back six months. They contained obfuscated Javascript designed to steal form data from the apps they were deployed to.  

Attackers appear to have used typosquatting techniques to trick developers into downloading their malicious packages.

They impersonated high-traffic npm modules like “umbrellajs,” renamed “umbrellaks,” and packages published by

“Packages created by the npm ionic-io author … show that the author published 18 versions of an npm package named ‘icon-package’ containing the malicious form stealing code,” ReversingLabs wrote.

“That was a glaring attempt to mislead developers into using this package instead of ‘ionicons,’ a popular, open source icon set with more than 1,000 icons for web, iOS, Android, and desktop apps.”

All the packages were designed to collect form data using jQuery Ajax functions and then exfiltrate that data to domains controlled by the threat actors.

The full extent of the campaign has yet to be revealed, but it already highlights systemic challenges facing developers who use open source components to accelerate time-to-market.

“It is clear that software development organizations as well as their customers need new tools and processes for assessing supply chain risks like the ones posed by these malicious npm packages. The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component,” argued ReversingLabs.

“The success of this attack – with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks – underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.”

Open chat
Iam Guest Posting Service
I Have 600 Site
Status : Indexed All
Good DA : 40-60
Different Nice I Category
Drip Feed Allowed
I can instant publish

My Service :
1. I will do your orders maximum of 1X24 hours, if at the time i’am online. I will do a maximum of 1 hour and the process is complete.
2. If any of you orders are not completed a maximum of 1x24 hours, you do not have to pay me, or free.
3. For the weekend, I usually online, that weekend when i’am not online, it means i’am working Monday.
4. For the payment, maximum payed one day after published live link.
5. Payment via paypal account
If you interesting, please reply
Thank You