A new software supply chain attack designed to extract data from applications and websites was found in over two dozen NPM packages.
The spread of the attack is not fully clear at this point, however, it has the potential to mass infect websites and apps, which are built by developers using these packages. Since each developer can build multiple sites, the threat is magnified. With some of the packages being downloaded tens of thousands of times, the estimated scope could be as widespread as past mass infections such as Log4J and SolarWinds. While Log4J was more widespread and SolarWinds had a bigger impact, the ultimate damage can be just as significant.
The packages use jQuery scripts aiming to steal data from deployed applications.
This means that the developers unknowingly using these fake packages aren’t the target of the attack, the real target is the end user.
Twenty-four packages using typosquatting methods as a means of distribution have been identified since the beginning of this year.
Attackers use typosquatting techniques, which means impersonating legitimate packages via public repositories such as NPM.
IconBurst focuses on packages that contain the word “Icon”, impersonating high-traffic NPM modules, and offering packages with confusing common misspelled names.
Typosquatting is a form of a cybersquatting attack and a form of a social engineering attack.
Why use “icon” as the base keyword – the reason is probably the ionicons package, used frequently to provide icons in applications built using the ionic framework.
With a download count of over 17000 for the icon-package, by far the most downloaded package, and over 3700 for the ionicio package.
However, the downside of this capability is that it can be exploited by attackers in order to disguise malicious code.
The attackers did not try to specifically aim at packages with the word icon, however ultimately most of the downloaded packages were icon related, because of their popularity.
Hance – “IconBurst”
Here is the list:
|Author / Package name||Download count||Original Package name|
IconBurst was designed to target the end user and get a hold of data entered into forms. Other attacks may target other kinds of data or other kinds of target audiences rather than end users.
But are attackers always after data? Actually no, they are not. We have seen other kinds of attacks; attackers have used code hidden in packages and have managed to install Crypto miners, targeting the attacked machines’ resources (Computing power) and not affecting their data at all.
The real ace up IconBurst’s sleeve is social engineering, not highly sophisticated tech, and it can be just as effective.