July 9, 2024 at 01:07AM
Unknown threat actors have propagated trojanized versions of jQuery on npm, GitHub, and jsDelivr in a “complex and persistent” supply chain attack. Approximately 68 packages were linked to the campaign, exhibiting high variability and clever hiding techniques. The attacker introduced malicious changes in the “end” function, enabling the exfiltration of website form data. The modified jQuery file was found on a GitHub repository associated with the account “indexsc.” Additionally, the attack involved Python Package Index (PyPI) repository.
Summary of meeting notes:
– There has been a supply chain attack related to the trojanized versions of jQuery on npm, GitHub, and jsDelivr, carried out by unknown threat actors.
– The attack involved hiding the malware in the ‘end’ function of jQuery, which is internally called by the ‘fadeTo’ function from its animation utilities.
– Approximately 68 packages linked to the campaign were published to the npm registry from May 26 to June 23, 2024, using names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, among others.
– Evidence suggests that each bogus package was manually assembled and published, indicating manual involvement rather than automated generation.
– Malicious changes introduced in the ‘end’ function allowed the threat actor to exfiltrate website form data to a remote URL.
– The trojanized jQuery file was found hosted on a GitHub repository associated with an account called “indexsc,” and JavaScript files in the same repository contained a script pointing to the modified version of the library.
– Datadog identified a series of packages on the Python Package Index (PyPI) with capabilities to download a second-stage binary from an attacker-controlled server based on the CPU architecture.
Please let me know if you need any further information or details.