Hackers are again targeting software developers in ‘complex and persistent’ supply chain attack.
Recently, cybersecurity researchers from Phylum discovered a new campaign where unknown hackers distributed dozens of malicious libraries through several code repositories, including npm, GitHub, and jsDelivr.
All of these libraries mimicked jQuery, a small, fast, and versatile JavaScript library designed to simplify client-side scripting of HTML.
Dozens of packages
jQuery makes it easier to write JavaScript code, as the library provides several features such as simplified event handling, animations, and Ajax interactions. It allows developers to perform complex tasks with fewer lines of code compared to regular JavaScript.
“This attack is notable for its high variability between packages,” Phylum said. “The attacker cleverly hid the malware in the rarely used ‘end’ function of jQuery, which is internally called by the more popular ‘fadeTo’ function of its animation utilities.”
So far, Phylum has identified 68 packages, published between late May and late June this year. Some of the package names are cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets.
This isn’t the first time hackers have targeted software developers and their customers via weaponized packages. However, there is usually a healthy dose of automation in such campaigns, which is reflected in the way the packages are named and the dates they are uploaded. This campaign, on the other hand, appears to be entirely manual, as none of these boxes are checked.
Of the various repositories, PyPI, GitHub, and npm are the most frequently targeted.
For example, PyPI was forced to suspend new accounts and new project creations multiple times to prevent hackers from uploading large amounts of malicious packages. GitHub, on the other hand, saw hackers upload “millions of repos capable of stealing sensitive information and information cookies” in late February of this year.
Through TheHackerNews
