Security researchers from ReversingLabs published about a campaign named ‘IconBurst’. The campaign is a supply chain attack carried out to install malicious NPM modules to steal user data from the compromised desktop, mobile, and web applications. More than a couple of dozens of malicious modules were identified that took part in the IconBurst campaign. It’s been suspected that these malicious modules have been downloaded more than 27K times collectively. There is no data available that tells about the usage of these NPM packages in applications and websites. The number could be a hundred or thousand. Additionally, no estimations were made about the amounts of user data stolen. We suggest you scan your NPM development environment for these malicious NPM modules and take action to protect your NPM from the IconBurst Campaign.
Table of Contents
Victims Of Malicious npm Packages:
ReversingLabs says that there are no signs of a clear target as of the day published this post. However, investigations are still in progress; new developments will be shared, if any.
Karlo Zanki, Reverse Engineer at ReversingLabs, says, “While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites.”
How Attackers Delivered Malicious NPM Packages In the IconBurst Campaign?
Attackers used the typosquatting attack method in this campaign. In this method of typosquatting, attackers simply create a new (malicious) package with a name that resembles the legitimate package name and publish them in public repositories. Attackers use this technique to fool the users who try to download the package from the public repositories. Anyways, such a massive amount of downloads of legitimate packages will ease the task of attackers to confuse the user to download malicious packages on victim systems.
In addition to the typosquatting infection method, attackers were also seen using dependency confusion attacks in that attackers publish the malicious packages with extremely high version numbers that give a feel of the latest package.
How To Protect Your NPM From The IconBurst Campaign?
Ensure all the packages installed are legitimate. We suggest you scan your NPM development environment for the modules listed in the below section and take action to protect your NPM from the IconBurst Campaign.
A simple Way To Scan The NPM Development Environment For Malicious Modules:
- Create a text file ‘examplenpmpackages.txt’ with all the malicious package names listed below.
- Navigate to the NPM project directory.
- Run this command:
npm list | grep -f examplenpmpackages.txtnpm list or npm ls is the command to list the installed packages. Pass the output of the npm list command to the grep command to filter the output by the list of packages listed in the examplenpmpackages.txt file.
It is always good to deploy intelligent supply chain security solutions like JFrog XRAY to prevent such attacks in feature.
List Of Malicious NPM Packages Seen In IconBurst Campaign:
This table consists of a total of 31 malicious NPM packages with version numbers identified so far. Please visit this page for new updates.
| #Num | Package Name | Package Version | SHA1 |
| 1 | ionic-icon | 4.7.0 | 8ab228743d3fef5c89aa55c7d3a714361249eba8 |
| 2 | ionicio | 5.0.0 | f0221e1707075e2976010d279494bb73f0b169c7 |
| 3 | icon-package | 5.0.0 | 9299a3eb1f11fcc090c7584bb9ce895ba38fd2cb |
| 4 | icon-package | 5.1.0 | 6092606456adce8eb705ba33ad3e9536682d917f |
| 5 | icon-package | 5.2.0 | d106693abc732a93176085410c67c4581de28447 |
| 6 | icon-package | 5.3.0 | 5a631ab46373251dade6dca5bb460b55bf738a64 |
| 7 | icon-package | 5.4.0 | c173de3d3ee1dd0920ee5a3a4f80d8c280ce2697 |
| 8 | icon-package | 5.5.0 | 49f2bc011d1beece62b7a4ed47818e288b71edb6 |
| 9 | icon-package | 5.9.0 | cf8a7066865ab6d009e226096fa879867b8e61bc |
| 10 | icon-package | 6.0.0 | 6e2b0d621bf6031beee18b897b2da5d93d3ce5e7 |
| 11 | icon-package | 6.0.1 | 164ff2295b63434e8b260a46041669c98eab4235 |
| 12 | icon-package | 6.0.2 | 96aca5e901bd8f1229683339766073e4e5d1de59 |
| 13 | icon-package | 6.6.6 | 6253324c1d741c1be3ae20fd8262adb54530ee8b |
| 14 | icon-package | 6.6.7 | c77eda629d2076663276bc48c7462ea07470dbdc |
| 15 | icon-package | 6.6.8 | b7dc23a51469574205b0691944f4120e2d92e64d |
| 16 | icon-package | 7.7.7 | 83e5ebd7f355b1655778a37db6b6953042fb77c4 |
| 17 | icon-package | 7.7.8 | 123dad7d48c47486e9c226ad50b26b2ba5ec9fe2 |
| 18 | icon-package | 7.7.9 | 17fef01df47ceb87b2755f4a18db23d8f7276d30 |
| 19 | icon-package | 8.0.9 | ae70ef4e5a0bb522179e5d488ed56efb9ae5b4d9 |
| 20 | icon-package | 9.0.0 | e66609e433e5b51a148889ff128bd7182fe22d4b |
| 21 | ajax-libs | 9.0.1 | 54549337e60eede3d4dc6b52662c582449b66c40 |
| 22 | ajax-libs | 9.0.2 | fd72a461bb62dce8989f1c24bdcc6ae6d4eaabc5 |
| 23 | ajax-libs | 9.0.3 | 66c41baf38e29c4b0a979cff35df4a1eed11e13e |
| 24 | umbrellaks | 1.0.0 | 81031febc2ed49bdd8c8f7ca810830df1b0d3476 |
| 25 | ajax-library | 1.0.0 | 326dab8f5d4dab461ca5fd14f136503d12227eae |
| 26 | ajax-library | 1.0.1 | 2afd6730426166f061d96a8ccbfba8d8c7ed9e3e |
| 27 | iconion-package | 1.0.0 | 73db956f7f752c4f71a8a8588604fa7d7af7de7e |
| 28 | package-sidr | 2.2.2 | 87cb0505dbb141391103e2bd358f3aa774210a4a |
| 29 | kbrstore | 1.0.0 | 7e14150502ee992fc8b1259de58261aeb2f58ae1 |
| 30 | icons-package | 4.4.4 | fb672c0b982542eeacce66be67a5bc4ff9567596 |
| 31 | icons-package | 4.4.5 | a386ddf8fb1d0846e01501f6fbac11e0389ef581 |
| 32 | icons-package | 2.2.2 | a5ad7a0edda67b7267694898a82abbee1ec7a466 |
| 33 | icons-package | 3.0.9 | 20254c86209118144e6a25fb90abea6f7c903d8e |
| 34 | subek | 1.0.0 | 68d1c1883cfab75fa933ab08189ba7abbd2625a8 |
| 35 | package-show | 5.5.9 | def789dc6322255264703c00d4f4dd265a48b50e |
| 36 | package-icon | 6.0.5 | 1a719f2efa398ef8659a401e6209377beab87105 |
| 37 | icons-packages | 7.4.0 | a2d25c070750cbd20f0c327980a40c26f4ea47ec |
| 38 | ionicon-package | 9.0.3 | f78a57ab8e288c725e452787f3b070ec690f276b |
| 39 | icons-pack | 7.8.3 | 6388e354433f8c608ab8a97ed9391b9dc44d2a99 |
| 40 | pack-icons | 2.4.3 | cda4b444744196ae9b2753830f750bc5e4548061 |
| 41 | package-ionicons | 8.0.5 | abb8ff44d224b23266769d0808ebe97c3838e484 |
| 42 | package-ionicon | 8.0.5 | c11d9aa077207adeef30cfdd9df3fe979e114b06 |
| 43 | footericon | 1.0.0 | 067e42878df480c0d1ca45c268300c96a258be63 |
| 44 | footericon | 3.7.1 | 06dbd365e76e7cb593df86a80385e8c46ca05545 |
| 45 | footericon | 3.7.0 | 8562edf90e988f7ca556183c2f032bc307dfefdb |
| 46 | footericon | 3.7.3 | 08bc77bb17b6a4ab365d0354683cbd912219becf |
| 47 | footericon | 1.7.9 | 9f5f2f34f15a03c4528d6fa632899d0e3b6d1ceb |
| 48 | roar-01 | 1.0.0 | 8c128c3be9645582db2fee9e64e175149d51d92c |
| 49 | roar-02 | 1.0.0 | a1e2cb98d2aa1b134b3be04d6a720393dcf6c072 |
| 50 | wkwk100 | 3.4.5 | 9f2a2001a07b92adef023ca697e4febba073728e |
| 51 | swiper-bundie | 10.5.3 | b64a10493897c96feb6eda1d0c9fc7ec85506258 |
| 52 | ajax-libz | 1.0.0 | dd01c6baadd1d79f29b3d69a300e82b860edc57d |
| 53 | swiper-bundle | 1.0.0 | 05d2084e1b2ce1d28c3096f16694413ec480704e |
| 54 | swiper-bundle | 3.7.1 | 1de14d6be4029aa7888f8fc83779b61c96c063da |
| 55 | swiper-bundle | 10.52.3 | 06cb7b1810ca1485e15fa81d92bd92533ff8c001 |
| 56 | swiper-bundle | 10.22.3 | fa234405c958a9ff22bac7debfbcde452294d73c |
| 57 | swiper-bundle | 10.21.3 | 64cd1eda88f92b32323f9784aab6d1a0bdd7a38c |
| 58 | ionicons-pack | 1.5.2 | fe59a8d59f6764800ce5b85f2bfbc4db05840bae |
| 59 | base64-javascript | 3.7.2 | 77170de7458ee81382efd7de2499694a459abee3 |
| 60 | ionicons-js | 5.0.2 | 069f9c723af8be981a3e6220b991b9c40320d8b5 |
| 61 | ionicons-json | 5.0.2 | 52a96612e3d2df0a7980de81d622da6c5ff84513 |
| 62 | atez | 1.0.0 | c6569dc3fd94f642cad56cb7a950175ff7c2062f |
Upon further investigation, the research team said they had identified some common connections with a few user accounts like ionic-io; arpanrizki; kbrstore; and aselole and domains.
List Of malicious NPM modules With Associated Author Names And Downloaded Count:
| Author / Package name | Download count |
| fontsawesome | |
| ionic-icon | 108 |
| ionicio | 3,724 |
| ionic-io | |
| icon-package | 17,774 |
| ajax-libs | 2,440 |
| umbrellaks | 686 |
| ajax-library | 530 |
| arpanrizki | |
| iconion-package | 101 |
| package-sidr | 91 |
| kbrstore | 89 |
| icons-package | 380 |
| subek | 99 |
| package-show | 103 |
| package-icon | 122 |
| kbrstore | |
| icons-packages | 170 |
| ionicon-package | 64 |
| icons-pack | 49 |
| pack-icons | 468 |
| ionicons-pack | 89 |
| aselole | |
| package-ionicons | 144 |
| package-ionicon | 57 |
| base64-javascript | 40 |
| ionicons-js | 38 |
| ionicons-json | 39 |
| footericon | |
| footericon | 1,903 |
| ajax-libz | |
| roar-01 | 40 |
| roar-02 | 37 |
| wkwk100 | 38 |
| swiper-bundie | 39 |
| ajax-libz | 40 |
| swiper-bundle | 185 |
| atez | 43 |
IoCs Of IconBurst Campaign:
- graph-googleapis.com
- ionicio.com
- curls.safhosting.xyz
- arpanrizki.my.id
- dnster.my.id
- okep.renznesia.xyz
- ryucha.my.id
- panelllgege.001www.com
- nge.scrp.my.id
- apiii-xyz.yogax.my.id
- panel.archodex.xyz
- panel.curlz.online
We hope this post will help you know How to Protect Your NPM from the IconBurst Campaign. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Keep Reading:
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/276035.html