Threat Management, Network Security

Sites infected as open source Alpaca Forms and analytics service Picreel compromised

Hackers have breached two services and modified their JavaScript code to infect more than 4,600 websites with malware, according to security researchers.

The attacks were initially discovered by security researcher Willem de Groot. In a series of tweets, he said that Picreel, an analytics service that enables website owners to see what users are doing and how they interact with a website, was hacked on 11 May. Picreel allows users to embed JavaScript code on their sites for Picreel to work.

"Their 1200+ customer sites are now leaking data to an exfil server in Panama," he said.

Picreel said in a May 22 statement that, "All client and company data, including payment data, personal data, passwords, company or customer data, is safe, and no data has been compromised."

In a later tweet, de Groot said that had also been hacked, affecting some 3,400 websites. Its content delivery network (CDN) had been breached and this enables hackers to modify one of its Alpaca Forms scripts. Alpaca Forms is an open source project that lets website owners create web forms.

It is not known how hackers breached either service. De Groot has posted a sample of the decoded malware on Github.

According to reports from ZDNet, CloudCMS has taken down the affected CDN serving up the compromised Alpaca Form script. And is investigating the incident. The company says there are no further indications that there is a security breach with the cloud provider.

In a further tweet, de Groot said that both Picreel and CloudCMS have removed the malicious code from their services.

Tim Mackey, principal security strategist at Synopsys CyRC, told SC Media UK that this is the latest in a series of efforts by malicious actors to compromise web sites through their use of open source components.

"Countering this paradigm requires a shift in the way open source components are typically consumed – after all open source has a reputation for providing free software. While an open source component might be free from cost, its consumption is not without responsibilities. One of the key responsibilities being engagement with the community creating the software component. Engaged consumers are in a position to ask questions and review changes and updates before consuming them. This review process is critical when adopting components that transmit data for analysis as those are most tempting for supply chain poisoning," he said.

Mackey said that in the 2019 OSSRA report it was observed that open source components were in use in 96 percent of the audited applications, and that’s due in large part to the ability for application development teams to focus on their unique code and leave the plumbing and foundation to shared components from the open source community.

"Malicious actors are taking advantage of this supply chain dynamic to poison components as they enter the development stream where developers are more focused on the code they create than the code they depend upon," he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.