News

Hundreds of Apps and Websites Affected by Malicious NPM Packages

About two dozen malicious NPM packages have been stealing data from forms embedded in mobile apps and websites since December 2021.

Experts gave this campaign the name IconBurst, since the malware was mostly disguised as popular ionic packages.

Let me remind you that we also said that Hackers Stole the Credentials of 100,000 npm Users.

A new malware campaign was discovered by ReversingLabs researchers, who say that the infected packages contained obfuscated JavaScript, which stole data from all kinds of forms (including those used for login).

These were clearly attacks based on typesquatting: the attackers distributed packages through public repositories with names similar to the names of legitimate libraries or containing common spelling errors. The attackers passed off their packages as popular NPM libraries that attract serious traffic, including umbrellajs and ionic.io packages.experts say.

The malicious packages, most of which have been published in recent months, have collectively been downloaded more than 27,000 times. The full list can be seen below.

Author/Package NameNumber of downloads
fontsawesome
ionic-icon108
ionicio3724
ionic-io
icon-package17 774
ajax-libs2440
umbrellaks686
ajax-library530
arpanrizki
iconion-package101
package-sidr91
kbrstore89
icons-package380
subek99
package-show103
package-icon122
kbrstore
icons-packages170
ionicon-package64
icons-pack49
pack-icons468
ionicons-pack89
aselole
package-ionicons144
package-ionicon57
base64-javascript40
ionicons-js38
ionicons-json39
footericon
footericon1,903
ajax-libz
roar-0140
roar-0237
wkwk10038
swiper-bundie39
ajax-libz40
swiper-bundle185
atez43
ajax-googleapis38
tezdoank69

ReversingLabs analysts noticed that data stolen by icon-package was redirected to the ionicio[.]com domain. And the site hosted at this address was specially created in such a way as to resemble the real ionic[.]io resource. At the same time, it is noted that the similarities between the domains used to steal data suggest that the entire campaign is controlled by the same attackers.

malicious NPM packages

ReversingLabs notified the NPM security team of its discovery as early as July 1, 2022, however it is reported that some IconBurst malware packages are still available in the repositories.

While the full scale of this attack is still unclear, the malicious packages we discovered are likely used by hundreds if not thousands of mobile and desktop applications and websites, collecting untold amounts of user data.experts warn.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button