A simple NPM supply-chain attack has led to the compromise of thousands of websites and desktop apps, researchers have found.
According to ReversingLabs, a threat actor known as IconBurst has created a number of malicious NPM modules capable of exfiltrating serialized form data, and given them names almost identical to other, legitimate modules.
This is a popular attack technique known as typosquatting. The attackers essentially try and assume the identities (opens in new tab) of legitimate developers. Then, developers who are in a hurry, or who don’t pay attention to details such as NPM names, download the modules and embed them in their work.
Tens of thousands of downloads
“The similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor,” explained Karlo Zanki, a reverse engineer at ReversingLabs.
The team reached out to the NPM security department earlier this month with its findings, but some malicious packages are still live.
“While a few of the named packages have been removed from NPM, most are still available for download at the time of this report,” Zanki added. “As very few development organizations have the ability to detect malicious code within open source libraries and modules, the attacks persisted for months before coming to our attention.”
Determining exactly how much data has been stolen is almost impossible, the researchers added. The campaign has been live since at least December 2021.
“While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites,” said Zanki.
“The NPM modules our team identified have been collectively downloaded more than 27,000 times.”