Unknown threat actors have been distributing trojanized versions of jQuery on npm, GitHub, and jsDelivr, marking a “complex and persistent” supply chain attack.
Phylum’s recent analysis reveals that the attackers cleverly embedded malware within the seldom-used ‘end’ function of jQuery, which is internally called by the popular ‘fadeTo’ animation utility. The malicious function allows the exfiltration of website form data to a remote URL.
As many as 68 packages have been linked to this campaign, published to the npm registry between May 26 and June 23, 2024. Package names include cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets. Unlike other attacks that follow automated patterns, these packages were manually assembled and published, evident by the diverse naming conventions and personal file inclusions.
Further investigation identified the trojanized jQuery file hosted on a GitHub repository associated with the “indexsc” account, along with JavaScript files that reference the modified library. jsDelivr automatically constructs these GitHub URLs, potentially aiding the attackers in making the source appear legitimate or bypassing firewalls.
Trojanized jQuery packages have been detected on npm, GitHub, and jsDelivr, signaling a sophisticated supply chain attack involving hidden malware. Stay vigilant! #Cybersecurity #TechNews #Coding #Infosec
— Ox HaK (@oxhak) July 9, 2024
This discovery coincides with Datadog’s findings of malicious packages on the Python Package Index (PyPI) repository, which download a second-stage binary based on CPU architecture.
Developers are urged to verify and update their dependencies to avoid falling victim to this supply chain attack.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
