Jump to content
  • Software Supply Chain Attack Hits Thousands of Apps

    aum

    • 365 views
    • 2 minutes
     Share


    • 365 views
    • 2 minutes

    Security researchers have discovered a significant new software supply chain attack affecting thousands of applications and websites involving the use of malicious npm packages.


    ReversingLabs found more than two dozen npm modules dating back six months. They contained obfuscated Javascript designed to steal form data from the apps they were deployed to.


    Attackers appear to have used typosquatting techniques to trick developers into downloading their malicious packages.


    They impersonated high-traffic npm modules like “umbrellajs,” renamed “umbrellaks,” and packages published by ionic.io.


    “Packages created by the npm ionic-io author … show that the author published 18 versions of an npm package named ‘icon-package’ containing the malicious form stealing code,” ReversingLabs wrote.


    “That was a glaring attempt to mislead developers into using this package instead of ‘ionicons,’ a popular, open source icon set with more than 1,000 icons for web, iOS, Android, and desktop apps.”


    All the packages were designed to collect form data using jQuery Ajax functions and then exfiltrate that data to domains controlled by the threat actors.


    The full extent of the campaign has yet to be revealed, but it already highlights systemic challenges facing developers who use open source components to accelerate time-to-market.


    “It is clear that software development organizations as well as their customers need new tools and processes for assessing supply chain risks like the ones posed by these malicious npm packages. The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component,” argued ReversingLabs.


    “The success of this attack – with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks – underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.”

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...