Malicious NPM packages steal app and web form data, say researchers

Since at least December 2021, a widespread software supply chain attack has targeted the NPM package manager with rogue modules designed to steal data entered in forms by users on websites that include them. These websites include them because they are vulnerable to attack.

The coordinated attack, which has been given the name IconBurst by ReversingLabs, involves no fewer than two dozen NPM packages that include obfuscated JavaScript. This script comes with malicious code that harvests sensitive data from forms embedded within downstream mobile applications and websites.

In a report published on Tuesday, security researcher Karlo Zanki stated that "these clearly malicious attacks relied on typo-squatting," which is a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages. "These clearly malicious attacks relied on typo-squatting," Zanki said. Attackers pretended to be popular NPM modules like umbrellajs and packages published by ionic.io in order to steal sensitive information.

The software packages in question, the majority of which were released within the past few months, have been downloaded more than 27,000 times between them all up to this point. Even more concerning is the fact that the vast majority of the modules can still be downloaded from the repository.

The following is a list of some of the most commonly downloaded malicious modules

• icon-package (17,774)
• ionicio (3,724)
• ajax-libs (2,440)
• footericon (1,903)
• umbrellaks (686)
• ajax-library (530)
• pack-icons (468)
• icons-package (380)
• swiper-bundle (185), and
• icons-packages (170)

bundles of icons and swipers (185), among other things (170)

In one instance that was observed by ReversingLabs, data that was exfiltrated by icon-package was routed to a domain that was named ionicio[.]com. This domain hosted a lookalike page that was engineered to resemble the genuine ionic[.]io website.

In recent months, the authors of the malware that was behind the campaign made additional changes to their strategies in order to gather information from every form element that was present on the website. This indicates an aggressive approach to the process of data harvesting.

Zanki made the observation that due to the decentralized and modular nature of application development, the strength of applications and services is proportional to the strength of their least secure component. "The success of this attack [...] underscores the freewheeling nature of application development and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments," said the researcher who led the attack.