Security News > 2024 > July > Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "Complex and persistent" supply chain attack.

As many as 68 packages have been linked to the campaign.

There is evidence to suggest that each of the bogus packages were manually assembled and published due to the sheer number of packages published from various accounts, the differences in naming conventions, the inclusion of personal files, and the long time period over which they were uploaded.

The malicious changes, per Phylum, have been introduced in a function named "End," allowing the threat actor to exfiltrate website form data to a remote URL. Further investigation has found the trojanized jQuery file to be hosted on a GitHub repository associated with an account called "Indexsc." Also present in the same repository are JavaScript files containing a script pointing to the modified version of the library.

"This is likely an attempt by the attacker to make the source look more legitimate or to sneak through firewalls by using jsDelivr instead of loading the code directly from GitHub itself."

The development comes as Datadog identified a series of packages on the Python Package Index repository with capabilities to download a second-stage binary from an attacker-controlled server depending on the CPU architecture.

News URL

https://thehackernews.com/2024/07/trojanized-jquery-packages-found-on-npm.html