Supply chain, Threat Management

‘IconBurst’ supply chain attack uses typo-squatting to spread malicious Javascript packages via NPM

(“Coding Javascript” by Christiaan Colen is licensed under CC BY-SA 2.0)
("Coding Javascript" by Christiaan Colen is licensed under CC BY-SA 2.0)

Researchers this week discovered IconBurst, a widespread software supply chain attack based on typo-squatting that consisted of malicious Javascript packages spread via the node package manager (NPM).

In a blog post, researchers at ReversingLabs identified more than two dozen NPM packages dating back six months that contain obfuscated Javascript designed to steal form data from individuals using apps or websites where the malicious packages had been deployed.

When the researchers dug deeper, they discovered a coordinated supply chain attack with a large number of NPM packages containing jQuery scripts designed to steal form data from deployed applications that included them. While the full extent of this attack is not yet determined, the researchers said the malicious packages are likely used by hundreds, if not thousands of downstream mobile and desktop applications, as well as websites. In one case, a malicious package had been downloaded more than 17,000 times.

The researchers said the threat actors used a typo-squatting technique to fool developers into confusing the malicious packages with their legitimate counterparts. They said packages created by the NPM ionic-io author, for example, show that the author published 18 versions of an NPM package named icon-package (thus the attack's code name) that contains the malicious form-stealing code.

“That was a glaring attempt to mislead developers into using this package instead of ionicons, a popular, open-source icon set with more than 1,000 icons for web, iOS, Android, and desktop apps."

Tim Helming, cybersecurity evangelist at DomainTools, said ReversingLabs' work highlights an important point: among all of the sophisticated technology used by cybercriminals, they often still make use of surprisingly simple methods to initiate hostile actions — in this case, creating malicious packages with names that closely imitate legitimate packages.

“This is very similar to the tactic used by many phishing campaigns where imitative domain names can deceive web users into clicking on a malicious URL,” Helming said. “Criminals recognize and prey on the fact that when people are moving fast, under pressure, it’s easy to make small mistakes that can add up to much larger consequences. Users of all forms of computer technology should be on heightened lookout for spoofs, be they of domains, software packages, or other objects.”

Developers selecting the correct component for their application rarely review the implementation of that component, said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. Mackey said despite the potential implementation risks, developers are measured on how quickly they implement new functionality or fix bugs in existing functionality.

“This then means they need to rely upon reputational metrics to determine whether a given component is trustworthy,” Mackey said. “Examples of such metrics include version number, downloads, age, stars and the reputation of the author. Malicious teams engaged in typo-squatting attacks know this dynamic and craft their components to not only have a similar name to a legitimate component, but to also have strong reputational metrics.”

Pan Kamal, head of products at BluBracket, said on initial review it looks like a combination of dependency vulnerabilities exploit, fuzzing, and malware injection that makes up this type of incident. Kamal said over the past year, software supply chain has come into sharp focus as more credential and code-based attacks have taken place. Kamal said application security, as well as identity and access management , are cybersecurity segments that are seeing a lot of demand.

“With the constant need to accelerate the pace of software deployment, security for apps has become more complex as the use of open source software and code from third-party repositories becomes more prevalent,” Kamal said. “Developers now take a more defined role in the deployment of application security. Cloud infrastructure and operational technology that drives the configuration and operation of our industrial control systems for utilities, water, oil and gas, chemicals, and transportation are all based on code. Software-based configuration opens up vulnerabilities that hackers can exploit to perpetrate attacks. Vulnerabilities in code are contributing to it becoming the largest cyberattack surface. Software supply chains, which are no longer monolithic entities, are made up of several disparate software components from multiple sources and are being targeted to attack critical infrastructure and operational systems.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds