A new and sophisticated supply chain attack has emerged, targeting the widely trusted jQuery Migrate library—a tool commonly used to ensure compatibility between different versions of jQuery. This attack leverages the trust in the library to stealthily deliver malware to unsuspecting users and organizations.
Attack Details
• Malicious jQuery Migrate Variant: Attackers created a trojanized version of the legitimate jquery-migrate-3.4.1.min.js file. This malicious file was distributed through compromised websites, particularly those running WordPress, and was designed to appear identical to the authentic library.
• Delivery Mechanism: The attack chain often began when a user visited a legitimate website that had been compromised. The site would silently load the corrupted jQuery Migrate script in the background, making detection difficult.
• Use of Parrot TDS: The Parrot Traffic Direction System (TDS), a known tool for distributing malware, was used to facilitate the delivery of the weaponized library. Parrot TDS helped attackers selectively serve the malicious script to targeted visitors, further reducing the likelihood of widespread detection.
• Malware Capabilities: Once executed, the malicious script could steal credentials, exfiltrate sensitive form data, and potentially deliver additional payloads. In some cases, it specifically targeted login credentials by injecting fake login forms or capturing input data.
Technical Analysis
• The infected JavaScript file maintained the appearance and much of the functionality of the legitimate jQuery Migrate library, making it difficult for automated defenses and manual reviewers to spot the compromise.
• The malware was injected in a way that allowed normal website operations to continue, minimizing suspicion from users and site administrators.
