Today > 5 Critical | 8 High | 34 Medium vulnerabilities   -   You can now download lists of IOCs here!

Persistent npm Campaign Shipping Trojanized jQuery

July 10, 2024, 10:02 a.m.

Tags
malware
supply chain
exfiltration
npm
github
2024-07-10
External References
Description

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled by the attackers. The attack stands out due to its high variability across packages, including unique exfiltration URLs and usernames, as well as the inclusion of personal files in the published packages. This suggests a manual approach rather than an automated one. The report highlights the potential for widespread impact and demonstrates the increasing complexity of supply chain threats.

Date

Published: July 10, 2024, 9:36 a.m.

Created: July 10, 2024, 9:36 a.m.

Modified: July 10, 2024, 10:02 a.m.

Indicators

ns.api-system.engineer

nd.api-system.engineer

log.api-system.engineer

termux.properties

api-system.engineer

https://systems-alexhost.xyz

https://system-alexhosting.biz.id

https://saystem.ditzzultimate.xyz

https://qxue.biz.id

https://pukil.dannew.biz.id

https://project.systemgoods.me

https://pokemon.denii.biz.id

https://patipride.icikipoxx.pw

https://paneljs.hanznesia.my.id

https://paneljs.dimashost.xyz

https://panel.api-bo.my.id

https://panel-host.dmdpanel.my.id

https://panel-host.clannesia.com

https://ns.api-system.engineer

https://nd.api-system.engineer

https://log.systems-alexhost.xyz

https://log.api-system.engineer

https://irisainginbos.icikipoxx.pw

https://danu.eventtss.my.id

https://cssimage.dimashost.xyz

https://apiweb.eventtss.my.id

https://api.newrxl.online

https://apii.fukaes.ninja

https://api.jstyy.xyz

https://api.iimg.my.id

https://api.codatuys.biz.id

https://api-web-vrip.hanznesia.my.id

https://api-system.engineer

https://api-bo.my.id

https://anti-spam.truex.biz.id

https://ajax.failexpect.biz.id

http://truex.biz.id/halo/?cat=

http://apii-pandawara.ganznesia.my.id

saystem.ditzzultimate.xyz

pukil.dannew.biz.id

project.systemgoods.me

pokemon.denii.biz.id

paneljs.hanznesia.my.id

patipride.icikipoxx.pw

paneljs.dimashost.xyz

panel.api-bo.my.id

panel-host.dmdpanel.my.id

panel-host.clannesia.com

irisainginbos.icikipoxx.pw

log.systems-alexhost.xyz

danu.eventtss.my.id

cssimage.dimashost.xyz

apiweb.eventtss.my.id

apii.fukaes.ninja

api.newrxl.online

apii-pandawara.ganznesia.my.id

api.jstyy.xyz

api.codatuys.biz.id

api.iimg.my.id

api-web-vrip.hanznesia.my.id

anti-spam.truex.biz.id

ajax.failexpect.biz.id

truex.biz.id

systems-alexhost.xyz

system-alexhosting.biz.id

qxue.biz.id

api-bo.my.id

Download all indicators here!

Attack Patterns

T1102

T1192

T1140

T1195

T1190

T1059