216.73.217.22

Persistent npm Campaign Shipping Trojanized jQuery

· Published 10/07/2024 09:36 · Modified 10/07/2024 10:02

Export JSON

Essential information

Published
10/07/2024 09:36
Modified
10/07/2024 10:02
Tags
2024-07-10 exfiltration github malware npm supply-chain
Related entities
67 observables, 6 techniques (mitre)

Description

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like and . The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled by the attackers. The attack stands out due to its high variability across packages, including unique URLs and usernames, as well as the inclusion of personal files in the published packages. This suggests a manual approach rather than an automated one. The report highlights the potential for widespread impact and demonstrates the increasing complexity of supply chain threats.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (67)

  • https://systems-alexhost.xyz
  • https://system-alexhosting.biz.id
  • https://saystem.ditzzultimate.xyz
  • https://qxue.biz.id
  • https://pukil.dannew.biz.id
  • https://project.systemgoods.me
  • https://pokemon.denii.biz.id
  • https://patipride.icikipoxx.pw
  • https://paneljs.hanznesia.my.id
  • https://paneljs.dimashost.xyz
  • https://panel.api-bo.my.id
  • https://panel-host.dmdpanel.my.id
  • https://panel-host.clannesia.com
  • https://ns.api-system.engineer
  • https://nd.api-system.engineer
  • https://log.systems-alexhost.xyz
  • https://log.api-system.engineer
  • https://irisainginbos.icikipoxx.pw
  • https://danu.eventtss.my.id
  • https://cssimage.dimashost.xyz
  • https://apiweb.eventtss.my.id
  • https://api.newrxl.online
  • https://apii.fukaes.ninja
  • https://api.jstyy.xyz
  • https://api.iimg.my.id
  • https://api.codatuys.biz.id
  • https://api-web-vrip.hanznesia.my.id
  • https://api-system.engineer
  • https://api-bo.my.id
  • https://anti-spam.truex.biz.id
  • https://ajax.failexpect.biz.id
  • http://truex.biz.id/halo/?cat=
  • http://apii-pandawara.ganznesia.my.id
  • saystem.ditzzultimate.xyz
  • pukil.dannew.biz.id
  • project.systemgoods.me
  • pokemon.denii.biz.id
  • paneljs.hanznesia.my.id
  • patipride.icikipoxx.pw
  • paneljs.dimashost.xyz
  • panel.api-bo.my.id
  • panel-host.dmdpanel.my.id
  • panel-host.clannesia.com
  • irisainginbos.icikipoxx.pw
  • log.systems-alexhost.xyz
  • danu.eventtss.my.id
  • cssimage.dimashost.xyz
  • apiweb.eventtss.my.id
  • apii.fukaes.ninja
  • api.newrxl.online
  • apii-pandawara.ganznesia.my.id
  • api.jstyy.xyz
  • api.codatuys.biz.id
  • api.iimg.my.id
  • api-web-vrip.hanznesia.my.id
  • anti-spam.truex.biz.id
  • ajax.failexpect.biz.id
  • truex.biz.id
  • systems-alexhost.xyz
  • system-alexhosting.biz.id
  • qxue.biz.id
  • api-bo.my.id
  • ns.api-system.engineer
  • nd.api-system.engineer
  • log.api-system.engineer
  • termux.properties
  • api-system.engineer

Techniques (MITRE) (6)

  • T1102
    Web Service
  • T1192
  • T1140
    Deobfuscate/Decode Files or Information
  • T1195
    Supply Chain Compromise
  • T1190
    Exploit Public-Facing Application
  • T1059
    Command and Scripting Interpreter

External references