Researchers have found that a simple attack on the NPM supply chain has compromised thousands of websites and desktop applications.
According to ReversingLabs, an attacker known as IconBurst has created a number of malicious NPM modules capable of hacking serialized form data, giving them nearly identical names to other legitimate modules.
This is a common attack technique known as tapioscotting. Attackers are basically trying to assume identities (Opens in a new tab) From legitimate developers. Then developers who are in a hurry, or who don’t pay attention to details like NPM names, download the modules and include them in their work.
Tens of thousands of downloads
“The similarities between the bands used to pull the data suggest that the different units in this campaign are under the control of a single actor,” explained Carlo Zanchi, reverse engineer at Reversing Labs.
The team contacted NPM’s security department earlier this month with its findings, but some malicious packages remain.
“Although a few specific packages have been removed from NPM, most of them are still available for download at the time of this report,” Zangi added. “Because very few development organizations have the ability to detect malicious code within open source libraries and modules, the attacks continued for several months before we came to our attention.”
The researchers added that determining the exact amount of data stolen is almost impossible. The campaign has been in effect since at least December 2021.
“Although the full scope of this attack is not yet known, it is possible that the malicious packages we discovered were being used by hundreds, if not thousands of mobile and desktop apps as well as websites,” Zenge said.
“Collectively, the NPM modules identified by our team have been downloaded more than 27,000 times.”
