Researchers Uncover Malicious NPM Packages Stealing Knowledge from Apps and Internet Kinds

A widespread software program provide chain assault has focused the NPM bundle supervisor at the least since December 2021 with rogue modules designed to steal knowledge entered in types by customers on web sites that embody them.

The coordinated assault, dubbed IconBurst by ReversingLabs, entails no fewer than two dozen NPM packages that embody obfuscated JavaScript, which comes with malicious code to reap delicate knowledge from types embedded downstream cellular purposes and web sites.

“These clearly malicious assaults relied on typo-squatting, a way during which attackers supply up packages through public repositories with names which are just like — or frequent misspellings of — official packages,” safety researcher Karlo Zanki mentioned in a Tuesday report. “Attackers impersonated high-traffic NPM modules like umbrellajs and packages printed by”

The packages in query, most of which had been printed within the final months, have been collectively downloaded greater than 27,000 occasions so far. Worse, a majority of the modules proceed to be obtainable for obtain from the repository.

Among the most obtain malicious modules are listed under –

  • icon-package (17,774)
  • ionicio (3,724)
  • ajax-libs (2,440)
  • footericon (1,903)
  • umbrellaks (686)
  • ajax-library (530)
  • pack-icons (468)
  • icons-package (380)
  • swiper-bundle (185), and
  • icons-packages (170)

In a single occasion noticed by ReversingLabs, knowledge exfiltrated by icon-package was routed to a site named ionicio[.]com, a lookalike web page engineered to resemble the official ionic[.]io web site.


The malware authors behind the marketing campaign additional switched up their ways in latest months to assemble info from each type aspect on the internet web page, indicating an aggressive method to knowledge harvesting.

“The decentralized and modular nature of utility growth signifies that purposes and providers are solely as robust as their least safe element,” Zanki famous. “The success of this assault […] underscores the freewheeling nature of utility growth, and the low obstacles to malicious and even susceptible code getting into delicate purposes and IT environments.”

Leave a Reply