Trojanized jQuery Packages Spread via 'Complex' Supply Chain Attack

Once again, cyberattackers are targeting JavaScript developers — this time in a "complex and persistent supply chain attack" that's distributing Trojanized packages for the popular JavaScript library jQuery across GitHub, Node Package Manager (npm), and jsDelivr repositories.

Each package contains a copy of jQuery with one small difference: the end function, a part of the jQuery prototype, is modified to include additional malicious code designed to extract website form data and send it to one of many URLs.

That's according to the Phylum Research Team, which said that, notably, the attackers have shown an unusual lack of a clear pattern of nomenclature and attribution, which deviates from typical software supply chain attacks of this kind; it "stands out due to the high variability across packages," the team wrote in a recent blog post.

The unknown attackers have spreading dozens of malicious jQuery packages since May 26, according to the research. Phylum researchers discovered the first malicious jQuery variant on npm, the default package manager for JavaScript's runtime Node.js; this variant then was published in dozens of npm packages over a month's time. Later, the researchers found instances of the Trojanized jQuery on other platforms, such as GitHub, and even found a version in a content delivery network (CDN)-hosted resource on jsDelivr.

The volume of the published packages so far is "relatively minimal," with about 68 in total found, the researchers said. The packages are often named jquery.min.js, with other variations such as registration.min.js, icon.min.js, and fontawesome.js. "The exfiltration URLs were almost unique for each package, and the attacker published to npm under new usernames," according to the post.

Sometimes a single user would publish multiple, related malicious jQuery packages, while other times the attackers included multiple file versions with different names within the same project. Moreover, almost every package also contains personal files not typically included in npm publications, such as the npm cache folder, npm logs folder, and a termux.properties file.

"Overall, this attack is unlike most we've seen at this scale, which typically have a clear, well-defined pattern and an obvious automated aspect," the team noted. "Here, the ad-hoc nature and custom variability of the packages, along with the long timeframe over which they were published, suggest that each package was manually assembled and published."

Targeted Supply Chain Attack Effort or Not?

The manual nature of the attack tracks with evidence that it appears to be a targeted effort: It takes a specific set of victim actions for the malware to execute.

"For the malware to be triggered, a user must install one of the malicious packages, use the included trojanized jQuery file, and then invoke either the end function or the fadeTo function," according to the post.

That said, while the end function itself doesn't appear to be widely used directly in development that uses jQuery, the fadeTo function, which is from jQuery’s animation toolkit, uses this end method far more widely, the team noted.

"This specific chain of conditions makes it unclear whether this is a highly targeted attack or if the attacker is simply blending in well and randomly affecting users who download and use these packages," according to the post.

Moreover, despite the "narrow set of conditions" required to trip the malware, the broad distribution of the packages means the attack can potentially have a wide impact that affects "many unsuspecting developers," exemplifying "the rising complexity and potential for the broad reach of supply chain threat actors," the team noted.

Heightened Vigilance Required

Indeed, the publication of malicious npm and other code packages to popular developer repositories has become an veritable security epidemic, with state-sponsored threat actors like North Korea's Moonstone Sleet and other threat actors using this tactic as a way to poison code across the software supply chain and thus reach a broad attack surface with minimal effort.

The increase in supply chain attacks that leverage code repositories requires heightened vigilance not only within the open source communities that manage the projects, but also among organizations, which are encouraged to scan any code used in development projects before distributing it to developers.

To help developers that use jQuery to avoid installing the malicious packages, Phylum's researchers included a list of all the names of the packages related to the campaign and the date they were published as well as the username associated with who published them in the blog post. They also included a long list of domains related to the campaign.