Unknown threat actors were found to be distributing trojanized versions jQuery on npm, GitHub and jsDelivr in what appears to be an instance of a “sophisticated and persistent” supply chain attack.
“This attack stands out for its high variability between packets,” Phylum said in an analysis published last week.
“The attacker cleverly hid the malware in a rarely used”the end‘ a jQuery function that is called internally by the more popular ‘fadeTo‘ from its animation utility.”
68 packages are tied to the promotion. They were published to the npm registry between May 26 and June 23, 2024, using names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, among others.
There is evidence to suggest that each of the fake packages was compiled and published manually due to the large number of packages published from different accounts, name differences, the inclusion of personal files, and the long period of time over which they were uploaded.
This differs from other common techniques where attackers tend to follow a predefined pattern that emphasizes the automation element involved in creating and publishing packages.
The malicious modification, according to the type, was made to a feature called “end” that allows a threat actor to steal website form data to a remote URL.
Further investigation revealed that the trojanized jQuery file resides in a GitHub repository associated with an account named “index.” Also present in the same repository are JavaScript files containing a script that points to a modified version of the library.
“It’s worth noting that jsDelivr creates these GitHub URLs automatically without the need to upload anything to the CDN explicitly,” Fillum said.
“This is likely an attacker’s attempt to make the source look more legitimate or to sneak past a firewall using jsDelivr instead of downloading the code directly from GitHub itself.”
The development comes as Datadog identified a number of packages in the Python Package Index (PyPI) repository with capabilities to download a second-stage binary from an attacker-controlled server, depending on the processor architecture.
