{"id":451524,"date":"2022-07-06T11:32:52","date_gmt":"2022-07-06T09:32:52","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=451524"},"modified":"2022-07-06T11:33:36","modified_gmt":"2022-07-06T09:33:36","slug":"researchers-discover-rogue-node-js-packages-stealing-data","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/451524-researchers-discover-rogue-node-js-packages-stealing-data.html","title":{"rendered":"Researchers discover rogue Node.js packages stealing data"},"content":{"rendered":"<p>Security researchers from ReversingLabs <strong><a href=\"https:\/\/blog.reversinglabs.com\/blog\/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites\" target=\"_blank\" rel=\"noopener\">discovered<\/a><\/strong> that 25 software packages available through the node package manager (NPM) have been stealing end-user data.<\/p>\n<p>NPM is the world\u2019s largest open-source code repository enabling JavaScript developers to publish and download software packages to use in applications and other libraries.<\/p>\n<p>Node.js is the world\u2019s most-used JavaScript runtime, and NPM is its default package manager.<\/p>\n<p>ReversingLabs researchers have dubbed the data harvesting campaign \u201cIconBurst\u201d, which involves attackers using typo-squatting to trick developers into downloading malicious packages.<\/p>\n<p>Typo-squatting refers to bad actors uploading software packages to public repositories with names strikingly similar to legitimate packages.<\/p>\n<p>The researchers started their investigation when they discovered several packages using a javascript obfuscator to disguise malicious code and found that the IconBurst campaign goes back to December 2021.<\/p>\n<p>After deobfuscating the code, ReversingLabs\u2019 team found that all the packages collected users\u2019 form data using jQuery Ajax functions and extracted it to attacker-controlled domains.<\/p>\n<p>One of the malicious packages, icon-package from ionic-io, had been downloaded over 17,000 times. For context, ionic.io\u2019s legitimate package is named ionicons.<\/p>\n<p>Other malicious packages include ajax-libs, ionicio, footericon, pack-icons, and icons-packages.<\/p>\n<p>\u201cSimilarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in control of a single actor,\u201d ReversingLabs security researcher Karlo Zanki said.<\/p>\n<p>\u201cWhile the full extent of this attack isn\u2019t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites,\u201d Reversing Labs security researcher Karlo Zanki said.<\/p>\n<p>ReversingLabs reported the malicious packages to NPM\u2019s security team on 1 July.<\/p>\n<p>The researchers said that while some of the named packages have been removed from NPM, most were still available for download at the time of their report\u2019s publication.<\/p>\n<hr \/>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/technology\/450672-attackers-use-new-trick-on-facebook-to-steal-passwords.html\">Attackers use new trick on Facebook to steal passwords<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>ReversingLabs security researchers have discovered a massive data harvesting campaign using malicious NPM packages that dates back to December 2021.<\/p>\n","protected":false},"author":341094,"featured_media":451528,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sma_x_autopost_status":"idle","_sma_x_autopost_error":"","_sma_x_post_id":"","_sma_x_attempts":0,"footnotes":""},"categories":[27],"tags":[79586,32378,79584,12379,79588],"class_list":["post-451524","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-iconburst","tag-javascript","tag-node-package-manager-npm","tag-node-js","tag-reversinglabs"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/451524"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341094"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=451524"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/451524\/revisions"}],"predecessor-version":[{"id":451534,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/451524\/revisions\/451534"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/451528"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=451524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=451524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=451524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}