Threat Research

Update: IconBurst npm software supply chain attack grabs data from apps and websites

Securonix

Two sentences summarizing the content: ReversingLabs uncovered a widespread npm software supply chain attack where malicious JavaScript packages were published to steal form data from apps and websites. The campaign used typosquatting to impersonate legitimate packages and shared exfiltration infrastructure across domains like graph-googleapis.com and ionicio.com, indicating a coordinated operation around IconBurst. #IconBurst #arpanrizki

Keypoints

  • More than two dozen npm packages contained obfuscated JavaScript designed to harvest form data from end users’ apps and websites.
  • Attackers relied on typosquatting to impersonate popular modules (e.g., ionicons, umbrellajs) and used multiple accounts (e.g., ionic-io, arpanrizki, aselole) to publish malicious code.
  • The campaign appears coordinated, with several modules tied to a small set of publishers and shared exfiltration infrastructure across attacker-controlled domains.
  • Malicious code exfiltrates serialized form data by extending the jQuery Ajax functionality, sending data to attacker-controlled domains such as ionicio.com and graph-googleapis.com.
  • One malicious package, icon-package, had about 17,000 downloads, illustrating the broad reach across thousands of downstream apps and websites.
  • Despite some removals, many malicious modules remained available, underscoring significant software supply chain risk and the need for improved open-source governance.

MITRE Techniques

  • [T1027.001] Software Obfuscation – The attackers used a javascript obfuscator to disguise the malicious code. “The presence of a javascript obfuscator was the indicator that initially got our team looking at a wide range of npm packages…”
  • [T1195] Software Supply Chain – Typosquatting to publish malicious npm packages that imitate legitimate ones. “typosquatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages.”
  • [T1567.002] Exfiltration to Web Services – Modified jQuery ajax() to exfiltrate serialized form data to attacker-controlled domains. “extends the behavior of the jQuery ajax() function to exfiltrate serialized form data to domains controlled by the attacker.”

Indicators of Compromise

  • [Domain] context – graph-googleapis.com, ionicio.com, and other exfiltration domains used by the campaign (IoCs include multiple attacker-controlled domains).
  • [SHA1] context – 8ab228743d3fef5c89aa55c7d3a714361249eba8, f0221e1707075e2976010d279494bb73f0b169c7
  • [Package/File Name] context – icon-package, footericon (malicious npm modules used in the campaign)

Read more: https://blog.reversinglabs.com/blog/iconburst-npm-supply-chain-attack-grabs-data-from-apps-websites