A sophisticated and persistent supply chain attack targeting the popular JavaScript library jQuery has been uncovered by cybersecurity researchers at Phylum. Active since late May, this attack involves the distribution of trojanized versions of jQuery through dozens of packages on the npm (Node Package Manager) repository, as well as on GitHub and the jsDelivr content delivery network (CDN).
Attack Details
- Vector: Supply chain attack via npm, GitHub, and jsDelivr CDN
- Target: jQuery library
- Discovery: Identified by cybersecurity researchers at Phylum
Technical Analysis
- Malicious Code Injection: The attackers inserted malicious code into the “end” function, part of the jQuery prototype, often invoked by other commonly used functions like “fadeTo.” This allows the attackers to exfiltrate sensitive form data from websites using the compromised jQuery version.
- Obfuscation and Misleading Tactics: The attackers used obfuscation techniques, misleading version warnings, and legitimate CDNs to mask their malicious activities, making detection and attribution more challenging.
Scope and Impact
- Distribution: The malicious jQuery variants have been found across multiple platforms and under various package names.
- Potential Impact: The broad distribution of trojanized packages suggests a potentially significant impact on developers and websites unknowingly incorporating the malicious code. The specific targets remain unclear, but the attack’s sophistication raises concerns about the attacker’s motives and capabilities.
Recommendations
- Verify Package Authenticity:
- Action Required: Developers and website owners should exercise caution when installing jQuery packages from npm or other sources.
- Verification: Scrutinize the code for any suspicious modifications before use.
- Use Security Tools:
- Action Required: Implement security tools designed to detect and mitigate supply chain attacks.
- Tools: Utilize tools that offer real-time monitoring and alerting for unusual activities or modifications in code packages.
- Monitor and Audit:
- Action Required: Regularly monitor and audit the dependencies and libraries used in projects.
- Audit: Ensure that all third-party code is reviewed and validated for security.
The discovery of this widespread supply chain attack involving trojanized jQuery highlights the critical need for vigilance and robust security practices when using third-party code libraries. Developers and website owners must take proactive measures to verify the authenticity of packages and implement security tools to safeguard against such sophisticated attacks. The ongoing nature and potential impact of this attack underscore the importance of maintaining rigorous security standards in software development and deployment.
