Unknown hackers have been spreading infected versions of jQuery on npm, GitHub, and jsDelivr. This is part of a larger, complicated attack on software supply chains.
According to Phylum, a cybersecurity company, this attack is particularly notable due to the wide variety of packages involved. The attackers hid the malicious code in the rarely used ‘end’ function of jQuery. This function gets triggered internally by the more popular ‘fadeTo’ function used in animations.
What’s Happening?
- 68 Packages Affected: These packages, with names like cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, were uploaded to npm from May 26 to June 23, 2024.
- Manual Effort: The diversity in package names, inclusion of personal files, and the extended period over which they were uploaded suggest these packages were manually created and published, unlike typical automated attacks.
How Does It Work?
The malicious code is hidden in the ‘end’ function of jQuery. When triggered, it sends form data from websites to a remote server controlled by the attackers. The infected jQuery file is hosted on a GitHub account named “indexsc,” which also contains other JavaScript files pointing to this altered version of the library.
Why It Matters
- Legitimacy: By using jsDelivr to construct URLs from GitHub automatically, the attackers make their malicious code appear more legitimate. This tactic helps bypass firewalls that might block direct loads from GitHub.
Other Incidents
Datadog has also found similar issues with packages on the Python Package Index (PyPI). These packages can download additional harmful software based on the computer’s CPU architecture.
What You Should Do
If you suspect that any jQuery packages you’re using might be compromised, check for updates and patches from trusted sources. Always be cautious when integrating third-party libraries into your projects.