A single attack on the NPM supply chain led to the compromise of thousands of websites and desktop applications, the researchers discovered.
According to ReversingLabs, a malicious actor known as IconBurst has created a series of malicious NPM modules capable of exfiltrating data from serialized forms and giving them almost identical names to other legitimate modules.
This is a popular attack technique known as typosquatting. Basically, the attackers are trying to impersonate (opens in a new tab) legitimate developers. Then developers who are in a hurry or don't pay attention to details like npm names download the modules and integrate them into their work.
Tens of thousands of downloads
"The similarities between the domains used to exfiltrate the data suggest that the different modules of this campaign are under the control of a single actor," explained Karlo Zanki, reverse engineer at ReversingLabs.
The team contacted NPM's security department earlier this month with their findings, but some malicious packages are still active.
"Although some of the named packages have been removed from NPM, most are still available for download at the time of this report," Zanki added. "As very few development organizations have the ability to detect malicious code in open source libraries and modules, the attacks persisted for months before coming to our attention."
Determining exactly how much data was stolen is nearly impossible, the researchers added. The campaign has been active since at least December 2021.
“While the scope of this attack is not yet known, it is likely that hundreds, if not thousands, of mobile and desktop apps and websites are using the malicious packages we discovered,” Zanky said.
"The NPM modules identified by our team have collectively been downloaded more than 27 times."
Via BleepingComputer (Opens in a new tab)