free webpage hit counter

Malicious modules found in the NPM library were downloaded thousands of times

Malicious modules found in the NPM library were downloaded thousands of times

More malicious Javascript code has been found in packages available at the NPM repository with open source code, say researchers at ReversingLabs, highlighting the recent discovery of unreliable libraries on open source sites.

The company said it has found more than two dozen bad packages, dating back six months, that contain hidden Javascript designed to steal form data from individuals who use applications or websites where the malicious packages have been distributed.

The researchers described it as a “coordinated supply chain attack.”

“Although the full extent of this attack is not yet known, the malicious packages we discovered are likely used by hundreds, if not thousands, of downstream mobile and desktop applications as well as websites,” the report said. “In one case, a malicious package had been downloaded more than 17,000 times.”

Attackers rely on typos and name their packages with names similar to – or common spelling mistakes in – legitimate packages. Among those imitated are high-traffic modules such as umbrellas (the fake module is called umbrellas) and packages published by ionisk.io.

Similarities between the domains used to filter out data indicate that the various modules in this campaign are under the control of a single player, the report adds.

NPM is one of a number of open source libraries with software packages used by developers in their applications. Others are PyPI, Ruby and NuGet.

The recent discovery of bad code in these libraries only underscores the need for application developers to carefully consider the code they download from open source websites. One tool they can use is a javascript deobfuscator to investigate obfuscated code – in itself a suspicious sign.

See also  Download Melbet APP for Android and iOS in Bangladesh 2022

ReversingLabs did this with the suspicious modules it found and discovered that everyone collects form data using jQuery Ajax features and sends them to various domains controlled by malicious authors.

Not only are the names of malicious packages similar to legitimate packages, the websites the packages link to are in some cases well-made copies of genuine websites. This also wonders those who download the packages. For example, this is the fake Ionic page that links to one of the malicious packages discovered by ReversingLabs …

… and this is the real website.

“This attack marks a significant escalation in software supply chain attacks,” the report said. “Malicious code gathered in the NPM modules runs in an unknown number of mobile and desktop applications and websites, and harvests countless amounts of user data.

“The NPM modules our team identified have been downloaded more than 27,000 times in total. Since very few development organizations have the ability to detect malicious code in open source libraries and modules, the attacks persisted for several months before coming to our attention. Although a few of the named packages have been removed from NPM, most are still available for download at the time of this report. “

You may also like...

Leave a Reply

Your email address will not be published.