Update: IconBurst npm software supply chain attack grabs data from apps and websites

Executive Summary

Update: since publication of this blog, new, malicious packages attributable to the accounts identified in our original report appeared on npm. In addition, new CDN (content distribution network) infrastructure was identified being used for script inclusion. We have updated our blog post to include the latest information and will continue updating it as new threats or information become available. (July 6, 2022)

ReversingLabs researchers recently discovered evidence of a widespread software supply chain attack involving malicious Javascript packages offered via the npm package manager. Researchers at ReversingLabs identified more than two dozen npm packages, dating back six months, that contain obfuscated Javascript designed to steal form data from individuals using applications or websites where the malicious packages had been deployed.

Upon closer inspection, we discovered evidence of a coordinated supply chain attack, with a large number of npm packages containing jQuery scripts designed to steal form data from deployed applications that include them. While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites. In one case, a malicious package had been downloaded more than 17,000 times.

As with the recent (benign) dependency confusion attacks targeting German organizations, these clearly malicious attacks relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages. Attackers impersonated high-traffic npm modules like umbrellajs and packages published by ionic.io. However, it is the end users of software (and their data) rather than development organizations that are the real targets. That makes this attack more comparable to the infamous SolarWinds compromise than to other, more recent supply chain compromises. Furthermore, similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor.

Here’s detailed information on this widespread software supply chain attack, including known indicators of compromise (IOCs) associated with the attacks — and recommendations for remediating the threat posed by these malicious npm modules.

Watch Karlo Zanki's discussion about his IconBurst research on ConversingLabs

Introduction

The ReversingLabs research team is continuously monitoring open-source package repositories for instances of malicious code planting and software supply chain attacks. This work involves both automated and human-led scanning and analysis of packages published in the most popular public package repositories like npm, PyPI, Ruby and NuGet. During these scans, we leverage our proprietary Titanium platform, and our deep file repository of goodware and badware to spot malicious and even suspicious elements hiding in plain view. Our newly released ReversingLabs Software Supply Chain Security platform builds upon that past work. The platform provides a way for dev and SOC teams to deeply examine their CI/CD workflows, containers and release packages to spot nascent or active software supply chain compromises.

Frequently, our work turns up evidence of active software supply chain attacks. In April, we came across npm packages that used a javascript obfuscator to hide their functionality. Our analysis of those packages produced proof of the simulated “dependency confusion” attacks on the software supply chain of leading German companies across a number of industries. We have been tracking npm repositories for occurrences of packages that use the same obfuscator ever since.

Here’s how tracking the usage of this obfuscation technique resulted in discovering several npm accounts, which were used to publish malicious code designed to steal form data entered by end users of infected web applications.

Discussion

The core capability of ReversingLabs’ secure.software solution is analyzing code intent while highlighting malicious behaviors. These indicators cover all kinds of software behavior, from network and file system activities to use of packers associated with malicious campaigns, and the use of evasion techniques.

Got obfuscation?

One technique we’re increasingly attuned to is the use of javascript obfuscator, a goodware component that is intended (mostly) to protect Javascript applications from the prying eyes of those who seek to steal or reverse engineer the code. Despite the respectable bona fides of javascript obfuscator and its laudable purpose, our past research revealed several instances of malicious packages using this tool to disguise malicious code. At this point, every encounter with such behavior requires a closer look.

The presence of a javascript obfuscator was the indicator that initially got our team looking at a wide range of npm packages, mostly published in the last two months, all using the mentioned obfuscator. In total, we discovered more than two dozen npm packages. When we looked at the names of those packages, we noticed some striking similarities. To show you what we mean, check out the following list of suspect packages.

Figure 1: Similarly named packages using javascript obfuscator

Can you spot the pattern? A deeper investigation into these npm modules reveals even more connections. All were connected to one of a handful of npm accounts with names like ionic-io; arpanrizki; kbrstore; and aselole.

Obfuscated code found stealing form data

To figure out what was going on with these packages, our team started by de-obfuscating the package content using a javascript deobfuscator. We followed that with a detailed examination of the de-obfuscated samples, which revealed that all of them perform collection of form data using jQuery Ajax functions, and then exfiltrate that data to various domains controlled by malicious authors. In other words: This is clear evidence of malicious intent.

Clearly, the typosquatting technique used to fool developers into confusing the malicious packages with their legitimate counterparts was working. Packages created by the npm ionic-io author, for example, show that the author published 18 versions of an npm package named icon-package containing the malicious form stealing code. That was a glaring attempt to mislead developers into using this package instead of ionicons, a popular, open-source icon set with more than 1,000 icons for web, iOS, Android, and desktop apps.

Figure 2: Version data related to icon-package

Download stats from npm show that the malicious icon-package has over 17,000 downloads. Data exfiltrated using this package passes through a domain hxxps://ionicio.com, a play on the legitimate ionicons framework domain ionic.io that would be easy for application developers to overlook. The ruse extends beyond the npm ecosystem, though. Note the visual similarity between the fake ionic web page seen in Figure 3 and the legitimate ionic page in Figure 4.

Figure 3: Fake ionic webpage

Figure 4: Legitimate ionic webpage

Under the hood, the malicious packages use a modified script that extends the behavior of the jQuery ajax() function to exfiltrate serialized form data to domains controlled by the attacker. Prior to sending the data, the function validates the URL content to perform target filtering checks.

The trail begins in December 2021

In the process of tracing the origin of the campaign, even older packages containing this type of malicious functionality were discovered. They were published in December 2021 by the author fontsawesome, and also targeted the already mentioned ionicons icon set. The domain used for data exfiltration in these packages is the same as the one used in the first two versions of the icon-package package: hxxps://graph-googleapis.com.

While the exact start of this campaign is unknown, the malicious package published from December 2021 all the way to the middle of May 2022 focused on mimicking the ionicons framework. At that point, the attackers switched to developing new npm packages that reused the same functionality and also started targeting other popular UI frameworks.

One of those packages is called umbrellaks, which is an obvious attempt at a typosquatting attack on the quite popular umbrellajs javascript DOM (document object model) manipulation framework.

We also observed several packages published by the npm account arpanrizki engaging in similar form data-grabbing. However, the exfiltration domain associated with these packages is different: hxxps://arpanrizki.my.id. The form identifier for exfiltrated data was quite specific: ValidateVerificationDataForm. So, as part of our investigation, we performed a GitHub search for this identifier, with some interesting results. (See Figure 5.)

Figure 5: GitHub search results

As the results show, one of the GitHub repositories containing the string in question were maintained by arpantek, a nickname very similar to the one of the npm author. The other result was related to a HackingTool repository belonging to the npm author Woxruz.

Figure 6: Woxruz’s HackingTool

The last commit’s description gives us a clue of the intended use for these software projects. These tools were designed for “Hacking PUBG i’d” [sic]. PUBG is a popular online-multiplayer video game with a large number of users. In other words, it seems the person behind the arpantek and arpanrizki accounts tried to port the login stealing script to the npm ecosystem to expand the reach.

Names of the packages published by arpanrizki also suggest they are targeting popular Javascript frameworks like ionicons and sidr. In particular, the sidr npm package hasn’t been maintained for 6 years, but still has more than 500 weekly downloads, which makes it a good target. Packages published by this author have since been removed from npm and replaced with security placeholders. The sidr package description confirms that in this phase of the campaign, the main target of the actor behind arpanrizki account were PUBG users.

Figure 7: sidr package description and the content of the referenced website

Hungry for data

While the malicious packages we initially observed took a conservative approach to harvesting form data, the more recently published malicious packages are taking a more aggressive approach to acquiring data. Another malicious package we identified, footericon, gathers data from all form elements with a defined “login-form” class.

Figure 8: Form data exfiltration code from footericon package

Similarly, the swiper-bundIe package, a malicious npm package targeting the popular Javascript framework swiper, uses the embedded jQuery approach, extending its end() function with functionality that gathers data from every form element on the page.

Figure 9: Form data exfiltration code from swiper-bundIe package

Clues hidden in code

While we can’t yet identify the actor(s) responsible for these attacks, clues as to the structure of the campaign abound in the deployed packages. For example, the swiper-bundIe package contains a Javascript header in the payload script with cleartext comments that name the author of the package as Alberto Varela, the author of the sidr package targeted by the arpanrizki author. Similarly, the long, commented Javascript one-liner also contains several references to the sidr package.

Figure 10: Comment header at the beginning of the payload from swiper-bundIe package

Finally, the malicious packages use exfiltration domains with a consistent naming pattern: <subdomain>.my.id. Together, these clues suggest a common actor behind the various malicious packages and a unified campaign.

List of malicious npm modules

Table 1: List of malicious packages with corresponding download count

Conclusion

ReversingLabs’ research uncovered an extensive software supply chain attack involving more than two dozen npm modules used by thousands of downstream applications, as indicated by the package download counts.

Analysis of the modules reveals evidence of coordination, with malicious modules traceable to a small number of npm publishers, and consistent patterns in supporting infrastructure such as exfiltration domains. ReversingLabs reached out to the npm security team to report the findings on July 1, 2022.

This attack marks a significant escalation in software supply chain attacks. Malicious code bundled within the npm modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data. The npm modules our team identified have been collectively downloaded more than 27,000 times. As very few development organizations have the ability to detect malicious code within open source libraries and modules, the attacks persisted for months before coming to our attention. While a few of the named packages have been removed from npm, most are still available for download at the time of this report.

In publishing this report, we hope it serves as a resource for development organizations to assess their own exposure to these malicious npm modules. We have prepared a list of affected modules and indicators of compromise that organizations can use to look for evidence of active attacks.

Looking beyond this specific incident, it is clear that software development organizations as well as their customers need new tools and processes for assessing supply chain risks like the ones posed by these malicious npm packages. The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component. The success of this attack — with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks — underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.

Indicators of Compromise (IoC)

C2 domains extracted from the analyzed npm packages:

graph-googleapis.com
ionicio.com
curls.safhosting.xyz
arpanrizki.my.id
dnster.my.id
okep.renznesia.xyz
ryucha.my.id
panelllgege.001www.com
nge.scrp.my.id
apiii-xyz.yogax.my.id
panel.archodex.xyz
panel.curlz.online
api.mlbb-x-02.ml

Package versions:

Complete affected package list:
https://blog.reversinglabs.com/hubfs/Blog/IconBurst/package_versions.tsv