Security researchers at ReversingLabs have reportedly uncovered a new supply chain attack impacting software manufacturing that affects thousands of applications and websites. According to the researchers, the software is impacted due to the use of malicious npm packages and modules dating back at least six months. In addition to its investigation, ReversingLabs identified obfuscated Javascript that was specifically designed to steal data from apps they were applied to. Another technique called typosquatting was also detected upon further investigation. Typosquatting involves misleading developers into using the malicious package.
The attackers reportedly impersonated high-traffic np modules with slightly altered names. Many of the packages were published by ionic.io, however, the original and legitimate publisher is ionicons. Ionicons is a popular open source icon set that boasts more than 1,000 icons for web, iOS, Android, and desktop. Although the full extent of the campaign remains unclear, it touches on systemic challenges that face developers deploying open-source components.
Read More: Software Supply Chain Attack Hits Thousands of Apps