Careful, that jQuery package could be loaded with Trojans

A white padlock on a dark digital background.
(Image credit:

Hackers are, once again, targeting software developers through a “complex and persistent” supply chain attack.

Recently, cybersecurity researchers from Phylum discovered a new campaign in which unidentified hackers distributed dozens of malicious libraries on different code repositories, including npm, GitHub, and jsDelivr.

All of these libraries impersonated jQuery, a small, fast and feature-rich JavaScript library designed to simplify the client-side scripting of HTML. 

Dozens of packages

With jQuery, it is easier to write JavaScript code, since the library provides different features such as simplified event handling, animations, and Ajax interactions. It allows developers to accomplish complex tasks with fewer lines of code compared to plain JavaScript.

"This attack stands out due to the high variability across packages," Phylum said. "The attacker has cleverly hidden the malware in the seldom-used 'end' function of jQuery, which is internally called by the more popular 'fadeTo' function from its animation utilities."

So far, Phylum identified 68 packages, published between late May and late June this year. Some of the names of the packages include cdnjquery, footersicons, jquertyi, jqueryxxx, logoo, and sytlesheets.

This is not the first time hackers are targeting software developers, and their clients, through weaponized packages. Usually, however, there is a healthy dose of automation in such campaigns, reflected in the way the packages are named, and in the dates they are uploaded. This campaign, on the other hand, seems to be fully manual, since it doesn’t check any of these boxes.

Among the different repositories, PyPI, GitHub, and npm, are most frequently targeted. 

PyPI, for example, was forced to suspend new account and new project creation, on multiple occasions, to prevent hackers from uploading large amounts of malicious packages. GitHub, on the other hand, saw hackers upload “millions of repos capable of stealing sensitive information and information cookies” in late February this year.

Via TheHackerNews

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.