Back

Persistent npm Campaign Shipping Trojanized jQuery

July 10, 2024, 10:02 a.m.

Tags

malware
supply chain
exfiltration
npm
github
2024-07-10

External References

https://blog.phylum.io/

https://otx.alienvault.com/

Description

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled by the attackers. The attack stands out due to its high variability across packages, including unique exfiltration URLs and usernames, as well as the inclusion of personal files in the published packages. This suggests a manual approach rather than an automated one. The report highlights the potential for widespread impact and demonstrates the increasing complexity of supply chain threats.

Date

Published Created Modified
July 10, 2024, 9:36 a.m. July 10, 2024, 9:36 a.m. July 10, 2024, 10:02 a.m.

Indicators

ns.api-system.engineer

nd.api-system.engineer

log.api-system.engineer

termux.properties

api-system.engineer

https://systems-alexhost.xyz

https://system-alexhosting.biz.id

https://saystem.ditzzultimate.xyz

https://qxue.biz.id

https://pukil.dannew.biz.id

https://project.systemgoods.me

https://pokemon.denii.biz.id

https://patipride.icikipoxx.pw

https://paneljs.hanznesia.my.id

https://paneljs.dimashost.xyz

https://panel.api-bo.my.id

https://panel-host.dmdpanel.my.id

https://panel-host.clannesia.com

https://ns.api-system.engineer

https://nd.api-system.engineer

https://log.systems-alexhost.xyz

https://log.api-system.engineer

https://irisainginbos.icikipoxx.pw

https://danu.eventtss.my.id

https://cssimage.dimashost.xyz

https://apiweb.eventtss.my.id

https://api.newrxl.online

https://apii.fukaes.ninja

https://api.jstyy.xyz

https://api.iimg.my.id

https://api.codatuys.biz.id

https://api-web-vrip.hanznesia.my.id

https://api-system.engineer

https://api-bo.my.id

https://anti-spam.truex.biz.id

https://ajax.failexpect.biz.id

http://truex.biz.id/halo/?cat=

http://apii-pandawara.ganznesia.my.id

Attack Patterns

T1102

T1192

T1140

T1195

T1190

T1059