A trojanized version of jQuery has been spreading on the npm JavaScript package manager, GitHub and elsewhere, for use in a jQuery attack, security researchers have discovered.
Phylum researchers said they have been monitoring the “persistent supply chain attacker” since May 26, initially on npm, “where we saw the compromised version published in dozens of packages over a month. After investigating, we found instances of the trojanized jQuery on other platforms, such as GitHub, and even as a CDN-hosted resource on jsDelivr.”
The malicious packages can extract website form data and send it to one of many URLs. In all, the researchers observed 68 malicious packages across 33 domains, which they listed in a blog post.
Because they contain so much widely used open source code, platforms like npm and GitHub are an attractive place for threat actors to try to distribute malicious code, or to hijack legitimate projects to launch supply chain attacks.
jQuery Attack Shows ‘High Variability’
The researchers said the jQuery attack “is unlike most we’ve seen at this scale, which typically have a clear, well-defined pattern and an obvious automated aspect. Here, the ad-hoc nature and custom variability of the packages, along with the long timeframe over which they were published, suggest that each package was manually assembled and published.”
The published packages were “relatively minimal,” they said, and the attacker included at least one complete copy of jQuery, often named jquery.min.js, along with other variations such as registration.min.js, icon.min.js, and fontawesome.js. The exfiltration URLs were typically unique for each package. The attacker published to npm under new usernames. although a single user would occasionally publish multiple related packages. The attacker occasionally included multiple file versions with different names within the same project.
“Interestingly, almost every package also contained personal files not typically included in npm publications, such as the npm cache folder, npm logs folder, and a termux.properties file,” the Phylum researchers said.
How the jQuery Attack Works
Each malicious package contained a copy of jQuery with one small difference, the researchers said: the end function, a part of the jQuery prototype, was modified to include additional malicious code.
The attacker “has cleverly hidden the malware in the seldom-used end function of jQuery, which is internally called by the more popular fadeTo function from its animation utilities,” they wrote.
The end method is used to end the most recent filtering operation in the current chain and return the set of matched elements to its previous state. The example of unaltered end method code they provided is pretty simple:
In a malicious example the researchers shared, the code is significantly more complex:
They noted that the attacker is firing off a non-blocking GET request via $.ajax to a remote URL, which includes a query parameter that is constructed by serializing all form data on the page (($(“form”).serialize())) and then encoding it into a hex string.
“This means that if you’re using this trojanized version, all form data on the page is exfiltrated any time the end function is called,” they wrote.
Developers Should Be Cautious with Packages
For the malware to be triggered, the researchers noted that a user must install one of the malicious packages, use the included trojanized jQuery file, and then invoke either the end function or the fadeTo function.
“This specific chain of conditions makes it unclear whether this is a highly targeted attack or if the attacker is simply blending in well and randomly affecting users who download and use these packages,” they said.
“The sheer number of packages, the variability in naming conventions, and the inclusion of personal files within these packages raise questions about the attacker’s capabilities and intentions,” they said. “These factors contrast sharply with the more sophisticated nature of the actual malware itself and the effort taken to conceal its maliciousness in plain sight.
“Despite the narrow set of conditions required to trip the malware, the broad distribution of the packages means the potential impact is wide, potentially affecting many unsuspecting developers. This novel attack exemplifies the rising complexity and potential for the broad reach of supply chain threat actors.”
For developers, supply chain threats like these mean they must be careful to download packages only from trusted sources and to update and patch regularly. Verifying package signatures and using package security tools can also help ensure the security of their projects.
