Hundreds of websites and apps effected by the NPM supply-chain attack
image courtesy:BleepinComputer/Twitter
An NPM supply chain attack in December 2021 used dozens of malicious NPM modules that contains obfuscated Javascript code and impacted hundreds of downstream desktop apps and websites.
Researchers at supply chain security firm ReversingLabs discovered that the threat actors behind this campaign used typosquatting to infect developers looking for poplar packages, such as umbrellajs and iconic.io NPM modules.
According to BleepingComputer, If fooled by the very similar module naming scheme, they would add the malicious packages designed to steal data from embedded forms (including those used for sign-in) to their apps or websites.
One of the malicious NPM packages used in this campaign (icon-package) has over 17000 downloads and is designed to exfiltrate serialized form data to several attacker-controlled domains.
IconBurst “relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages,” said Karlo Zanki, a reverse engineer at ReversingLabs.
