Trojanized jQuery Packages Discovered on npm, GitHub, and jsDelivr

Supply Chain Sabotage: Trojanized jQuery on npm, GitHub, and jsDelivr

In a chilling wake-up call for developers and security experts alike, unknown threat actors have launched a “complex and persistent” supply chain attack by distributing trojanized versions of jQuery across well-known platforms such as npm, GitHub, and jsDelivr. This methodical and stealthy attack could have widespread consequences for anyone using these compromised libraries in their projects.

In an analysis made public last week, Phylum highlighted the intricacies and nuances of the attack.

“This attack stands out due to the high variability across packages. The attacker has cleverly hidden the malware in the seldom-used ‘end’ function of jQuery,” said Phylum.

The attackers have demonstrated an unprecedented level of sophistication by embedding the malicious payload within the less frequent ‘end’ function of the jQuery library. This strategic move makes it exceedingly difficult for typical detection methods to identify the threat.

The Anatomy of the Attack

The attackers leveraged multiple platforms to propagate their trojanized versions of jQuery. These include:

  • npm: A popular package manager for JavaScript, often used to manage dependencies in Node.js applications.
  • GitHub: The go-to repository for software development, sharing, and version control.
  • jsDelivr: A public content delivery network that caches and speeds up the delivery of various JavaScript libraries, including jQuery.

By distributing their malicious code through such widely used platforms, the threat actors have maximized their reach, potentially putting thousands of applications at risk. The running code would not exhibit any malicious behavior until the ‘end’ function is invoked, masking their presence and enabling inconspicuous data exfiltration or other nefarious activities.


Hint: Always validate the source and integrity of your dependencies. Use tools like Snyk or npm audit to regularly scan your projects for vulnerabilities.

Best Practices and Mitigation Strategies

In light of this sophisticated attack, developers and security professionals should adopt a more robust approach to safeguard their projects:

  1. Regular Audits: Implement regular security audits of your project’s dependencies. Utilize tools designed for this purpose to streamline the process.
  2. Vendor Verification: Ensure the authenticity of the packages you’re using. Trust only verified sources and maintain a ‘zero trust’ policy towards unverified third-party libraries.
  3. Community Engagement: Engage with the community to stay updated on the latest threats and remediation techniques. Platforms like GitHub often have community-driven insights and alerts on newly discovered vulnerabilities.

Feel free to leave a comment below or share this article on your social networks. Let’s get the word out on this pressing issue!

Discover more from KrofekSecurity

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *