Dubbed IconBurst, the SolarWinds-style attack leveraged typo-squatting, the subtle but intentional misspelling of popular software repositories, to trick developers into downloading the malicious packages.
According to the researchers, the supply chain attack succeeded, with one malicious NPM package downloaded more than 17,000 times.
However, while the malicious packages used developers as the springboard for the attack, their final target was the end users’ data.
Beware of typo-squatting of popular NPM packages
They leveraged the typo-squatting technique that exploits common misspellings of legitimate packages to trick developers into installing infected libraries.
“Attackers impersonated high-traffic NPM modules like umbrellajs and packages published by ionic.io,” the researchers wrote in a blog post. “However, it is the end users of software (and their data) rather than development organizations that are the real targets.”
Similarly, the researchers found deliberate attempts to mimic the fontawesome and ionicons in the package names.
The attackers also created fake websites such as https://ionicio[.]com that closely resembled the legitimate https://ionic[.]io domain.
Additionally, they attempted to impersonate the legitimate authors of popular NPM packages.
For example, they inserted cleartext comments in the swiper-bundle attributing Alberto Varela as the author of the malicious repository. Varela is the author of the legitimate Sidr package targeted by the attackers.
Thousands of websites and applications used malicious NPM packages
Software developers had downloaded the malicious NPM packages more than 27,000 times. The most popular was the “fontsawesome” icon-package downloaded 17,774 times.
Other popular misspelt NPM packages include the ionicio NPM package downloaded 3,724 times, Ajax-libs with 2,440 downloads, footericon by footericon downloaded 1,903 times, umbrellaks (686), ajax-library (530), pack-icons (468), icons-package (380), swiper-bundle (185), and icons-packages (170).
Others include package-sidr, package-show, ionicons-pack, libz.jquery, ajax-libary, among others.
The researchers could not determine the full extent of the supply chain attack. However, they observed that the threat actors had leveraged dependency confusion attacks to target German organizations across various industries.
“While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites,” they warned.
They used a form identifier “ValidateVerificationDataForm” class to collect form data in various malicious repositories.
The footericon package collected data by serializing all forms named with the “login-form” identifier, while the swiper-bundIe collected data from any “form” element.
Evidence of a coordinated software supply chain attack
The researchers discovered that the software supply chain attack was a coordinated campaign with exfiltration domains using similar data-grabbing techniques and repositories associated with a small group of accounts.
“A deeper investigation into these NPM modules reveals even more connections. All were connected to one of a handful of NPM accounts with names like ionic-io; arpanrizki; kbrstore; and aselole.”
One account used to publish malicious NPM packages in the software supply chain attack ‘arpanrizki’ had other GitHub projects leveraging similar tactics. The researchers successfully linked the account to “Woxruz’s HackingTool” for stealing PUBG login credentials.
Aggressive data exfiltration campaign
The malicious NPM packages were aimed at harvesting sensitive data from forms embedded in mobile applications and websites.
The threat actors initially took a conservative approach to exfiltrating web pages’ data. However, newer malicious NPM packages adopted an aggressive approach to data exfiltration.
For example, the footericon library attempted to steal data from every login form while swiper-bundIe collected data from any form on any web page.
ReversingLabs warned that most software development organizations could not detect open-source libraries with malicious code. Subsequently, ReversingLabs researchers reported the malicious NPM repositories to the NPM security team for removal to keep the software supply chain secure.
Additionally, they published a list of indicators of compromise (IoCs), including exfiltration domains, to assist organizations in identifying possible malicious packages used in their applications.
Uriel Maimon, VP of Emerging Products at PerimeterX, described the NPM supply chain attack as evidence of software supply chain risks. He advised organizations to evaluate whether they had the tools and abilities to address software supply chain risks on their websites.
“Using a multi-tiered approach that looks at the entire attack lifecycle from data theft and harvesting, through validation and then account fraud, can provide indications of account takeover activity, and prevent it regardless of the method the attacker used to get in,” Maimon said.
“The proliferation of single point products within the cyber security landscape are indicative of the rapidly expanding attack surface for supply chain attacks,” Rajiv Pimplaskar, CEO of Dispersive Holdings, said. “Governments and businesses should extend zero trust strategies to sensitive 3rd party supplier connections and APIs as well as utilize a next gen VPN that obfuscates source destination relationships making them hard to identify for a threat actor. Also, small and medium businesses should consider platform solutions rather than relying on single point products that increase supply chain vulnerabilities and risk.”