Persistent npm Campaign Shipping Trojanized jQuery

July 10, 2024, 10:02 a.m.

Description

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled by the attackers. The attack stands out due to its high variability across packages, including unique exfiltration URLs and usernames, as well as the inclusion of personal files in the published packages. This suggests a manual approach rather than an automated one. The report highlights the potential for widespread impact and demonstrates the increasing complexity of supply chain threats.

External References

https://blog.phylum.io/persistent-npm-campaign-shipping-trojanized-jquery/
https://otx.alienvault.com/pulse/668e56193194da7c0afb3c8c
Tags
malware
supply chain
exfiltration
npm
github
2024-07-10

Date

  • Created: July 10, 2024, 9:36 a.m.
  • Published: July 10, 2024, 9:36 a.m.
  • Modified: July 10, 2024, 10:02 a.m.

Indicators

  • ns.api-system.engineer
  • nd.api-system.engineer
  • log.api-system.engineer
  • termux.properties
  • api-system.engineer
  • https://systems-alexhost.xyz
  • https://system-alexhosting.biz.id
  • https://saystem.ditzzultimate.xyz
  • https://qxue.biz.id
  • https://pukil.dannew.biz.id
  • https://project.systemgoods.me
  • https://pokemon.denii.biz.id
  • https://patipride.icikipoxx.pw
  • https://paneljs.hanznesia.my.id
  • https://paneljs.dimashost.xyz
  • https://panel.api-bo.my.id
  • https://panel-host.dmdpanel.my.id
  • https://panel-host.clannesia.com
  • https://ns.api-system.engineer
  • https://nd.api-system.engineer
  • https://log.systems-alexhost.xyz
  • https://log.api-system.engineer
  • https://irisainginbos.icikipoxx.pw
  • https://danu.eventtss.my.id
  • https://cssimage.dimashost.xyz
  • https://apiweb.eventtss.my.id
  • https://api.newrxl.online
  • https://apii.fukaes.ninja
  • https://api.jstyy.xyz
  • https://api.iimg.my.id
  • https://api.codatuys.biz.id
  • https://api-web-vrip.hanznesia.my.id
  • https://api-system.engineer
  • https://api-bo.my.id
  • https://anti-spam.truex.biz.id
  • https://ajax.failexpect.biz.id
  • http://truex.biz.id/halo/?cat=
  • http://apii-pandawara.ganznesia.my.id
  • saystem.ditzzultimate.xyz
  • pukil.dannew.biz.id
  • project.systemgoods.me
  • pokemon.denii.biz.id
  • paneljs.hanznesia.my.id
  • patipride.icikipoxx.pw
  • paneljs.dimashost.xyz
  • panel.api-bo.my.id
  • panel-host.dmdpanel.my.id
  • panel-host.clannesia.com
  • irisainginbos.icikipoxx.pw
  • log.systems-alexhost.xyz
  • danu.eventtss.my.id
  • cssimage.dimashost.xyz
  • apiweb.eventtss.my.id
  • apii.fukaes.ninja
  • api.newrxl.online
  • apii-pandawara.ganznesia.my.id
  • api.jstyy.xyz
  • api.codatuys.biz.id
  • api.iimg.my.id
  • api-web-vrip.hanznesia.my.id
  • anti-spam.truex.biz.id
  • ajax.failexpect.biz.id
  • truex.biz.id
  • systems-alexhost.xyz
  • system-alexhosting.biz.id
  • qxue.biz.id
  • api-bo.my.id
Download all indicators here!

Attack Patterns

  • T1102
  • T1192
  • T1140
  • T1195
  • T1190
  • T1059