Widespread Supply Chain Attack on NPM: Trojanized jQuery Discovered

A sophisticated and persistent supply chain attack targeting the popular JavaScript library jQuery has been uncovered by cybersecurity researchers at Phylum. The attack, which has been active since late May, involves the distribution of trojanized versions of jQuery through dozens of packages on the npm (Node Package Manager) repository, as well as on GitHub and the jsDelivr content delivery network (CDN).

The attackers have cleverly modified the legitimate jQuery code by inserting malicious code into the “end” function, a part of the jQuery prototype that is often indirectly invoked by other commonly used functions like “fadeTo.” This subtle alteration allows the attackers to exfiltrate sensitive form data from websites where the compromised jQuery version is used.

The scope of the attack is noteworthy, with the malicious jQuery variants found across multiple platforms and under various package names. The attackers have also employed diverse tactics, including obfuscation, misleading version warnings, and the use of legitimate CDNs to mask their malicious activities.

While the specific targets of this attack remain unclear, the widespread distribution of the trojanized packages suggests a potentially broad impact on developers and websites that unknowingly incorporate the malicious code. The seemingly random nature of the affected packages, coupled with the sophisticated nature of the malware, raises questions about the attacker’s motives and capabilities.

In light of this ongoing attack, developers and website owners are urged to exercise caution when installing jQuery packages from npm or other sources. Verify the authenticity of the packages, scrutinize the code for any suspicious modifications, and consider using security tools that can detect and mitigate supply chain attacks.