Supply chain attack uses malicious NPM packages to steal data
Researchers have discovered a supply chain attack that uses packages hosted on the Node Package Manager, the manager for the Node.js JavaScript platform.
Detailed today by Reverse Engineer Karlo Zanki at Reversing Labs Inc., the software supply chain attack involves more than two dozen NPM packages that contain obfuscated JavaScript. The packages are designed to steal from data from individuals using applications or websites where the malicious packages have been deployed.
The attacks are believed to date back to December 2021. Although the full extent of the attacks are not yet known, the malicious packages are believed to have likely been used by hundreds if not thousands of downstream websites and mobile and desktop applications. In one case, a malicious package had been downloaded more than 17,000 times.
Dubbed “IconBurst,” the distribution of the malicious NPM packages relies on typo-squatting. The threat actors disguise the malicious code with names similar to or with common misspellings of legitimate packages. The attackers impersonate high-traffic NPM models such as umbrellajs and packages published by ionic.io.
The malicious code’s ultimate aim is to target end-users of software and their data, rather than development organizations. “That makes this attack more comparable to the infamous SolarWinds compromise than to other, more recent supply chain compromises,” Zanki explained. “Furthermore, similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor.”
Zanki concluded that the attack marks a significant escalation in software supply attacks. It’s noted that very few development organizations can detect malicious code within open-source libraries and modules and that the attacks persisted for months before being discovered.
“This NPM incident is a further reminder of software supply chain risks,” Uriel Maimon, vice president of emerging products at application protection company PerimeterX Inc., told SiliconANGLE. “We strongly advise organizations to ask themselves whether they have the tools and capabilities to notice and take action on changes, potential risks and anomalies in their supply chain, and analyze the behavior of users on their website.”
Maimon added that organizations should use a multitiered approach that looks at the entire attack lifecycle. That includes the ability to monitor data theft and harvesting through validation to provide indications of account takeover activity and prevent it regardless of the method the attacker’s method.
Image: ReversingLabs
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU