When the researchers dug deeper, they discovered a coordinated supply chain attack with a large number of NPM packages containing jQuery scripts designed to steal form data from deployed applications that included them. While the full extent of this attack is not yet determined, the researchers said the malicious packages are likely used by hundreds, if not thousands of downstream mobile and desktop applications, as well as websites. In one case, a malicious package had been downloaded more than 17,000 times.
The researchers said the threat actors used a typo-squatting technique to fool developers into confusing the malicious packages with their legitimate counterparts. They said packages created by the NPM ionic-io author, for example, show that the author published 18 versions of an NPM package named icon-package (thus the attack's code name) that contains the malicious form-stealing code.
Tim Helming, cybersecurity evangelist at DomainTools, said ReversingLabs' work highlights an important point: among all of the sophisticated technology used by cybercriminals, they often still make use of surprisingly simple methods to initiate hostile actions — in this case, creating malicious packages with names that closely imitate legitimate packages.
“This is very similar to the tactic used by many phishing campaigns where imitative domain names can deceive web users into clicking on a malicious URL,” Helming said. “Criminals recognize and prey on the fact that when people are moving fast, under pressure, it’s easy to make small mistakes that can add up to much larger consequences. Users of all forms of computer technology should be on heightened lookout for spoofs, be they of domains, software packages, or other objects.”
Developers selecting the correct component for their application rarely review the implementation of that component, said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. Mackey said despite the potential implementation risks, developers are measured on how quickly they implement new functionality or fix bugs in existing functionality.
“This then means they need to rely upon reputational metrics to determine whether a given component is trustworthy,” Mackey said. “Examples of such metrics include version number, downloads, age, stars and the reputation of the author. Malicious teams engaged in typo-squatting attacks know this dynamic and craft their components to not only have a similar name to a legitimate component, but to also have strong reputational metrics.”
Pan Kamal, head of products at BluBracket, said on initial review it looks like a combination of dependency vulnerabilities exploit, fuzzing, and malware injection that makes up this type of incident. Kamal said over the past year, software supply chain has come into sharp focus as more credential and code-based attacks have taken place. Kamal said application security, as well as identity and access management , are cybersecurity segments that are seeing a lot of demand.
“With the constant need to accelerate the pace of software deployment, security for apps has become more complex as the use of open source software and code from third-party repositories becomes more prevalent,” Kamal said. “Developers now take a more defined role in the deployment of application security. Cloud infrastructure and operational technology that drives the configuration and operation of our industrial control systems for utilities, water, oil and gas, chemicals, and transportation are all based on code. Software-based configuration opens up vulnerabilities that hackers can exploit to perpetrate attacks. Vulnerabilities in code are contributing to it becoming the largest cyberattack surface. Software supply chains, which are no longer monolithic entities, are made up of several disparate software components from multiple sources and are being targeted to attack critical infrastructure and operational systems.”