News

Hundreds of Apps and Websites Affected by Malicious NPM Packages

About two dozen malicious NPM packages have been stealing data from forms embedded in mobile apps and websites since December 2021.

Experts gave this campaign the name IconBurst, since the malware was mostly disguised as popular ionic packages.

Let me remind you that we also said that Hackers Stole the Credentials of 100,000 npm Users.

A new malware campaign was discovered by ReversingLabs researchers, who say that the infected packages contained obfuscated JavaScript, which stole data from all kinds of forms (including those used for login).

These were clearly attacks based on typesquatting: the attackers distributed packages through public repositories with names similar to the names of legitimate libraries or containing common spelling errors. The attackers passed off their packages as popular NPM libraries that attract serious traffic, including umbrellajs and ionic.io packages.experts say.

The malicious packages, most of which have been published in recent months, have collectively been downloaded more than 27,000 times. The full list can be seen below.

Author/Package Name Number of downloads
fontsawesome
ionic-icon 108
ionicio 3724
ionic-io
icon-package 17 774
ajax-libs 2440
umbrellaks 686
ajax-library 530
arpanrizki
iconion-package 101
package-sidr 91
kbrstore 89
icons-package 380
subek 99
package-show 103
package-icon 122
kbrstore
icons-packages 170
ionicon-package 64
icons-pack 49
pack-icons 468
ionicons-pack 89
aselole
package-ionicons 144
package-ionicon 57
base64-javascript 40
ionicons-js 38
ionicons-json 39
footericon
footericon 1,903
ajax-libz
roar-01 40
roar-02 37
wkwk100 38
swiper-bundie 39
ajax-libz 40
swiper-bundle 185
atez 43
ajax-googleapis 38
tezdoank 69

ReversingLabs analysts noticed that data stolen by icon-package was redirected to the ionicio[.]com domain. And the site hosted at this address was specially created in such a way as to resemble the real ionic[.]io resource. At the same time, it is noted that the similarities between the domains used to steal data suggest that the entire campaign is controlled by the same attackers.

ReversingLabs notified the NPM security team of its discovery as early as July 1, 2022, however it is reported that some IconBurst malware packages are still available in the repositories.

While the full scale of this attack is still unclear, the malicious packages we discovered are likely used by hundreds if not thousands of mobile and desktop applications and websites, collecting untold amounts of user data.experts warn.
Add rating
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Related Posts

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Leave a Comment
Share
Published by
Daniel Zimmermann
Tags: IconBurstmalwarenpmReversingLabs
2 years ago

Recent Posts

Remove Vizoaksy pop-up ads (Virus Removal Guide)

Vizoaksy.com is a site that tries to force you into subscribing to its browser notifications…

11 hours ago

Remove Keyapp.monster pop-up ads (Virus Removal Guide)

Keyapp.monster is a site that tries to force you into clik to its browser notifications…

14 hours ago

Remove Withblaockbr.org pop-up ads (Virus Removal Guide)

Withblaockbr.org is a domain that tries to trick you into subscribing to its browser notifications…

14 hours ago

Remove Janorfeb.xyz pop-up ads (Virus Removal Guide)

Janorfeb.xyz is a site that tries to force you into clik to its browser notifications…

2 days ago

Remove Re-captha-version-3-263.buzz pop-up ads (Virus Removal Guide)

Re-captha-version-3-263.buzz is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove Usavserver pop-up ads (Virus Removal Guide)

Usavserver.com is a site that tries to force you into subscribing to its browser notifications…

2 days ago