Researchers at Trustwave's SpiderLabs have noticed a rather large uptick in the number of jQuery files that have been injected with malicious code over the last few months. The actors behind the hijackings are using their code to serve up fake software updates, including alleged Adobe Flash Player installations.
In a blog post on the subject, Trustwave's Ben Hayak and Rami Kogan said:
"We hear a lot about various techniques and vulnerabilities used to inject malicious code into webpages. Sometimes, for the attackers, the focus is not on how to get the code there, but how to hide it in order to keep it there for as long as possible. It seems that as of late injecting malicious code into jQuery is one of attacker's favorite methods for doing so."
There were 39 new malicious jQuery libraries placed online in the 24-hours of the blog post being written, but that is only a small sample of the overall problem. Over the last six months, researchers have noted a 160 percent jump in the number of injected libraries.
As the researchers note:
"In this case, speed and efficiency have higher priority than human readability; therefore jQuery includes only essential features to keep the code tight and focused by using minimal variable and function names, minimal use of spaces, no comments, etc. In addition, developers usually use jQuery libraries as a plug-and-play product, which doesn’t require maintenance apart from library updates. Because jQuery libraries are minified and infrequently reviewed by those using them, jQuery becomes a good place to hide malicious code."
The best defense against having your code hijacked like this is a solid offense, including change monitoring on the code, and consistent code reviews of scripts and libraries. Moreover, regular code audits will also help spot problems should the code become compromised.