Hackers are once again targeting software developers with a “complex and persistent” supply chain attack.
Recently, Phylum cybersecurity researchers discovered a new campaign in which unidentified hackers distributed dozens of malicious libraries across different code repositories, including npm, GitHub, and jsDelivr.
All of these libraries mimicked jQuery, a small, fast, feature-rich JavaScript library designed to simplify client-side HTML scripting.
Dozens of packages
With jQuery, it is easier to write JavaScript code as the library offers a variety of features such as simplified event handling, animations, and Ajax interactions. It allows developers to perform complex tasks with fewer lines of code compared to plain JavaScript.
“This attack is notable for the high variability between packages,” Phylum said. “The attacker has cleverly hidden the malware in jQuery's rarely used 'end' function, which is called internally by the more popular 'fadeTo' function of its animation utilities.”
So far, Phylum has identified 68 packages, published between late May and late June of this year. Some of the package names include cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets.
This is not the first time that hackers have targeted software developers and their customers using malicious packages. However, there is usually a good deal of automation in these campaigns, which is reflected in the way the packages are named and the dates on which they are uploaded. This campaign, on the other hand, appears to be entirely manual, as it does not meet any of these conditions.
Among the different repositories, PyPI, GitHub and npm are the most frequently attacked.
PyPI, for example, was forced to suspend the creation of new accounts and projects on multiple occasions to prevent hackers from uploading large amounts of malicious packages. GitHub, on the other hand, saw hackers upload “millions of repositories capable of stealing sensitive information and cookie information” in late February of this year.
Through Hackers News
