An IconBurst supply chain attack has been discovered utilising several malicious NPM packages that contain obfuscated JS codes. Based on reports, the objective of the malicious threat actors is to compromise downstream websites and desktop applications.
According to the researchers, the threat operators of the IconBurst campaign utilised a typosquatting method to breach developers that seeks well-known packages, such as umbrellajs NPM modules and ad ionic[.]io.
If an identical module naming tactic already deceives a user, the IconBurst developers would only add hostile packages designed by them to exfiltrate data from embedded forms to their websites or apps. The stolen data are commonly used for signing in accounts.
The best example of this attack is that one of the compromised NPM packages used by the threat actors has more than 15 thousand downloads. These packages are also developed to steal serialised form data to several threat actor-controlled domains.
Furthermore, cybersecurity experts spotted multiple similarities between the domains utilised by the threat actors to steal information. This detail implies that a threat group does not control the different modules used in this threat campaign but only a single individual.
The IconBurst malicious packages were still available on the registry despite researchers giving advisories regarding these hostile modules.
A research team contacted the NPM security team earlier this month to report their findings regarding the malicious packages. However, the attack operators were unfazed since some IconBurst malicious packages were still up for grabs on the NPM registry.
Overall, the already downloaded NPM modules have reached nearly 30 thousand downloads. Hence, thousands of individuals and modules seeker may have downloaded a compromised NPM package.
Unfortunately, the attacks remained undetected for numerous months as only a few development firms could identify malicious code within open-source modules and archives. The full impact of this attack is currently a mystery to be solved by researchers. However, some researchers believe hundreds of users now use numerous malicious packages.
Software development organisations and their clients should require new processes and kits to obstruct supply-chain problems posed by these recent malicious NPM packages.