It has been revealed that an NPM-based supply-chain attack that dates back to December last year employed multiple malevolent NPM modules that contained hidden JavaScript code to attack hundreds of downstream applications for desktop and enterprise websites.

Malicious activities uncovered

Researchers from ReversingLabs, the supply chain security company, recently detailed the campaign to compromise the sites and apps. The operation behind the attack, IconBurst, employed typosquatting in order to infect developers who were seeking popular packages like ionic.io NPM modules and umbrellajs.

The scheme worked by fooling developers into using similar module names so that they would unwittingly add the malicious payloads created to steal information from forms that were embedded – like those used for logins – to their websites and desktop apps.

For example, one of the insidious NPM packages utilised in the attack, icon-package, currently has more than 17,000 downloads and has been engineered to exfiltrate serialised form data to multiple web domains under attacker control.

In a statement, Reverse Engineer Karlo Zanki, of ReversingLabs, commented:

“[IconBurst] relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are like or common misspellings of — legitimate packages. Furthermore, similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor.”

Undetermined impact of an attack campaign

Although the team at ReversingLabs contacted security at NPM with a report of its findings, at this time, some malicious IconBurst packages remain available on the official NPM registry.

Zanki commented:

“While a few of the named packages have been removed from NPM, most are still available for download at the time of this report. As very few development organisations have the ability to detect malicious code within open-source libraries and modules, the attacks persisted for months before coming to our attention.”

Despite the fact that the research team could compile a complete list of the malicious packages employed in the IconBurst 2021 supply-chain attack, its full impact has yet to be calculated. This is because it is not possible to assess exactly how many credentials and the amount of data that was stolen through infected applications and website pages since the packages were deployed last year.

Currently, the only available metrics come from the number of times that each NPM module was installed, and the statistics uncovered by ReversingLabs’ team have raised significant concerns.

Zanki commented that although the complete scope of the incident is not yet known, the team estimates that the malevolent packages they discovered were likely employed by hundreds, and possibly even thousands, of downstream desktop and mobile apps, along with company websites.

The Reverse Engineer stated that the malicious JavaScript code bundled inside the NPM modules is now running within what amounts to an undetermined number of web pages and applications for desktop and mobile devices, and is harvesting untold volumes of confidential user data.

Zanki added that the NPM modules identified by the team had collectively been downloaded over 27,000 times.