Researchers discover rogue Node.js packages stealing data
Security researchers from ReversingLabs discovered that 25 software packages available through the node package manager (NPM) have been stealing end-user data.
NPM is the world’s largest open-source code repository enabling JavaScript developers to publish and download software packages to use in applications and other libraries.
Node.js is the world’s most-used JavaScript runtime, and NPM is its default package manager.
ReversingLabs researchers have dubbed the data harvesting campaign “IconBurst”, which involves attackers using typo-squatting to trick developers into downloading malicious packages.
Typo-squatting refers to bad actors uploading software packages to public repositories with names strikingly similar to legitimate packages.
The researchers started their investigation when they discovered several packages using a javascript obfuscator to disguise malicious code and found that the IconBurst campaign goes back to December 2021.
After deobfuscating the code, ReversingLabs’ team found that all the packages collected users’ form data using jQuery Ajax functions and extracted it to attacker-controlled domains.
One of the malicious packages, icon-package from ionic-io, had been downloaded over 17,000 times. For context, ionic.io’s legitimate package is named ionicons.
Other malicious packages include ajax-libs, ionicio, footericon, pack-icons, and icons-packages.
“Similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in control of a single actor,” ReversingLabs security researcher Karlo Zanki said.
“While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites,” Reversing Labs security researcher Karlo Zanki said.
ReversingLabs reported the malicious packages to NPM’s security team on 1 July.
The researchers said that while some of the named packages have been removed from NPM, most were still available for download at the time of their report’s publication.