Recent investigations have revealed the presence of altered versions of jQuery spread across npm, GitHub, and jsDelivr, marking a sophisticated and enduring supply chain assault.
“This attack is notable for its extensive diversity among packages,” analyzed Phylum in a recent report.
“The perpetrator ingeniously embedded malicious code within the seldom-utilized ‘end’ function of jQuery, which is internally invoked by the more commonly used ‘fadeTo’ function within its animation tools.”
Up to 68 packages have been implicated in this campaign. These were introduced into the npm registry between May 26 and June 23, 2024, under names like cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets, among others.
Evidence strongly indicates that each fraudulent package was meticulously compiled and uploaded manually, given the array of publishing accounts involved, the diverse naming conventions, the inclusion of personal files, and the prolonged period over which they were released.
This method deviates from more typical approaches, where attackers usually adhere to automated processes and recognizable patterns during package creation and deployment.
According to Phylum’s findings, the malevolent alterations were embedded within a function named “end,” allowing the attacker to illicitly extract form data from websites to a remote URL.
Further scrutiny has identified the tampered jQuery file hosted on a GitHub repository linked to an account named “indexsc.” This repository also contains JavaScript files featuring a script pointing to the altered jQuery version.
“It’s notable that jsDelivr automatically constructs these GitHub URLs without requiring explicit CDN uploads,” remarked Phylum.
“This may be an effort by the attacker to increase the appearance of legitimacy for the source, or to bypass firewalls by utilizing jsDelivr instead of directly loading from GitHub.”
These developments coincide with Datadog’s discovery of a series of packages on the Python Package Index (PyPI) capable of downloading a secondary binary from a server controlled by the attacker, contingent on the CPU architecture.
