IconBust, a new NPM attack

All Posts

This content is brought to you by Scribe Security, a leading end-to-end software supply chain security solution provider – delivering state-of-the-art security to code artifacts and code development and delivery processes throughout the software supply chains. Learn more.

A new software supply chain attack designed to extract data from applications and websites was found in over two dozen NPM packages.

Threat –

Earlier this month ReversingLabs identified IconBurst, a JavaScript NPM attack that installs malicious NPM modules that harvest data from forms embedded in mobile applications and websites.

Spread –

The spread of the attack is not fully clear at this point, however, it has the potential to mass infect websites and apps, which are built by developers using these packages. Since each developer can build multiple sites, the threat is magnified. With some of the packages being downloaded tens of thousands of times, the estimated scope could be as widespread as past mass infections such as Log4J and SolarWinds. While Log4J was more widespread and SolarWinds had a bigger impact, the ultimate damage can be just as significant.

Tech –

The packages use jQuery scripts aiming to steal data from deployed applications.

In addition, IconBurst uses a JavaScript obfuscator to hide some of the code. An obfuscator is normally meant to protect proprietary code in open-source packages and compress JavaScript files. However, IconBurst uses it to hide the exfiltration address used in the extraction of serialized form data.

This means that the developers unknowingly using these fake packages aren’t the target of the attack, the real target is the end user.

Infection –

Twenty-four packages using typosquatting methods as a means of distribution have been identified since the beginning of this year.

Attackers use typosquatting techniques, which means impersonating legitimate packages via public repositories such as NPM.

IconBurst focuses on packages that contain the word “Icon”, impersonating high-traffic NPM modules, and offering packages with confusing common misspelled names. 

Typosquatting is a form of a cybersquatting attack and a form of a social engineering attack. 

Why use “icon” as the base keyword – the reason is probably the ionicons package, used frequently to provide icons in applications built using the ionic framework.

With a download count of over 17000 for the icon-package, by far the most downloaded package, and over 3700 for the ionicio package.

Flag –

So what made ReversingLabs raise the proverbial red flag? Javascript obfuscator.

As mentioned, a javascript obfuscator is intended to protect Javascript applications, it lets developers protect code from copying or reverse engineering.

However, the downside of this capability is that it can be exploited by attackers in order to disguise malicious code.

The presence of a javascript obfuscator is what made ReversingLabs engineers inspect a number of NPM packages, upon looking at the names of those packages, a pattern emerged. A few of the first packages inspected had the word “icon” in them, that is when the attackers’ strategy became clear, to typo squat and mass infect.

The attackers did not try to specifically aim at packages with the word icon, however ultimately most of the downloaded packages were icon related, because of their popularity. 

Hance – “IconBurst”

Here is the list:

Author / Package nameDownload countOriginal Package name
ionic-icon108ionicons
ionicio3,724ionicons
icon-package17,774ionicons
ajax-libs2,440
umbrellaks686umbrellajs
ajax-library530
iconion-package101
package-sidr91
kbrstore89
icons-package380
subek99
package-show103
package-icon122
icons-packages170
ionicon-package64
icons-pack49
pack-icons468
ionicons-pack89
package-ionicons144
package-ionicon57
base64-javascript40
ionicons-js38
ionicons-json39
footericon1,903
roar-0140
roar-0237
wkwk10038
swiper-bundie39swiper
ajax-libz40
swiper-bundle185swiper
atez43
ajax-googleapis38
tezdoank69
ajaxapis40
tescodek38
atezzz114
libz.jquery160
ajax-libary36

Intent –

IconBurst was designed to target the end user and get a hold of data entered into forms. Other attacks may target other kinds of data or other kinds of target audiences rather than end users.

But are attackers always after data? Actually no, they are not. We have seen other kinds of attacks; attackers have used code hidden in packages and have managed to install Crypto miners, targeting the attacked machines’ resources (Computing power) and not affecting their data at all.

Summary –

IconBurst demonstrates the ability to use what is ultimately rather simple technology, a JavaScript obfuscator disguising malicious code and impersonating legitimate packages via public repositories such as NPM.

The real ace up IconBurst’s sleeve is social engineering, not highly sophisticated tech, and it can be just as effective.