Malicious NPM Package Use in Supply chain attacks

Researchers have discovered a supply chain attack that uses packages hosted on the Node Package Manager, the manager for the Node.js JavaScript platform.

The attack involves more than two dozen NPM packages that contain obfuscated JavaScript. The packages are designed to steal from data from individuals using applications or websites where the malicious packages have been deployed.

The full extent of the attacks is unknown, the malicious packages are believed to have likely been used by infinite downstream websites and mobile and desktop applications. One of the malicious packages dubbed IconBurst that has been downloaded more than 17,000 times.

Typo-Squatting attack technique used in the distribution of the malicious NPM packages, where the threat actors disguise the malicious code with names like or with common misspellings of legitimate packages. The attackers impersonate high-traffic NPM models such as umbrellajs and packages published by ionic.io.

Through which they target end-users of software and their data, rather than development organizations. The similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor.

The attack marks a significant escalation in software supply attacks and very few development organizations can detect malicious code within open-source libraries and modules and that the attacks persisted for months before being discovered.