• Home
  • |
  • Blog
  • |
  • How To Protect Your NPM From The IconBurst Campaign
How to Protect Your NPM from the IconBurst Campaign

Security researchers from ReversingLabs published about a campaign named ‘IconBurst’. The campaign is a supply chain attack carried out to install malicious NPM modules to steal user data from the compromised desktop, mobile, and web applications. More than a couple of dozens of malicious modules were identified that took part in the IconBurst campaign. It’s been suspected that these malicious modules have been downloaded more than 27K times collectively. There is no data available that tells about the usage of these NPM packages in applications and websites. The number could be a hundred or thousand. Additionally, no estimations were made about the amounts of user data stolen. We suggest you scan your NPM development environment for these malicious NPM modules and take action to protect your NPM from the IconBurst Campaign.

Victims Of Malicious npm Packages:

ReversingLabs says that there are no signs of a clear target as of the day published this post. However, investigations are still in progress; new developments will be shared, if any.

Karlo Zanki, Reverse Engineer at ReversingLabs, says, “While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites.”

How Attackers Delivered Malicious NPM Packages In the IconBurst Campaign?

Attackers used the typosquatting attack method in this campaign. In this method of typosquatting, attackers simply create a new (malicious) package with a name that resembles the legitimate package name and publish them in public repositories. Attackers use this technique to fool the users who try to download the package from the public repositories. Anyways, such a massive amount of downloads of legitimate packages will ease the task of attackers to confuse the user to download malicious packages on victim systems. 

In addition to the typosquatting infection method, attackers were also seen using dependency confusion attacks in that attackers publish the malicious packages with extremely high version numbers that give a feel of the latest package.

How To Protect Your NPM From The IconBurst Campaign?

Ensure all the packages installed are legitimate. We suggest you scan your NPM development environment for the modules listed in the below section and take action to protect your NPM from the IconBurst Campaign.

A simple Way To Scan The NPM Development Environment For Malicious Modules:

  • Create a text file ‘examplenpmpackages.txt’ with all the malicious package names listed below.
  • Navigate to the NPM project directory.
  • Run this command:
npm list | grep -f examplenpmpackages.txt

npm list or npm ls is the command to list the installed packages. Pass the output of the npm list command to the grep command to filter the output by the list of packages listed in the examplenpmpackages.txt file.

It is always good to deploy intelligent supply chain security solutions like JFrog XRAY to prevent such attacks in feature. 

List Of Malicious NPM Packages Seen In IconBurst Campaign:

This table consists of a total of 31 malicious NPM packages with version numbers identified so far. Please visit this page for new updates.

#NumPackage NamePackage VersionSHA1
1ionic-icon4.7.08ab228743d3fef5c89aa55c7d3a714361249eba8
2ionicio5.0.0f0221e1707075e2976010d279494bb73f0b169c7
3icon-package5.0.09299a3eb1f11fcc090c7584bb9ce895ba38fd2cb
4icon-package5.1.06092606456adce8eb705ba33ad3e9536682d917f
5icon-package5.2.0d106693abc732a93176085410c67c4581de28447
6icon-package5.3.05a631ab46373251dade6dca5bb460b55bf738a64
7icon-package5.4.0c173de3d3ee1dd0920ee5a3a4f80d8c280ce2697
8icon-package5.5.049f2bc011d1beece62b7a4ed47818e288b71edb6
9icon-package5.9.0cf8a7066865ab6d009e226096fa879867b8e61bc
10icon-package6.0.06e2b0d621bf6031beee18b897b2da5d93d3ce5e7
11icon-package6.0.1164ff2295b63434e8b260a46041669c98eab4235
12icon-package6.0.296aca5e901bd8f1229683339766073e4e5d1de59
13icon-package6.6.66253324c1d741c1be3ae20fd8262adb54530ee8b
14icon-package6.6.7c77eda629d2076663276bc48c7462ea07470dbdc
15icon-package6.6.8b7dc23a51469574205b0691944f4120e2d92e64d
16icon-package7.7.783e5ebd7f355b1655778a37db6b6953042fb77c4
17icon-package7.7.8123dad7d48c47486e9c226ad50b26b2ba5ec9fe2
18icon-package7.7.917fef01df47ceb87b2755f4a18db23d8f7276d30
19icon-package8.0.9ae70ef4e5a0bb522179e5d488ed56efb9ae5b4d9
20icon-package9.0.0e66609e433e5b51a148889ff128bd7182fe22d4b
21ajax-libs9.0.154549337e60eede3d4dc6b52662c582449b66c40
22ajax-libs9.0.2fd72a461bb62dce8989f1c24bdcc6ae6d4eaabc5
23ajax-libs9.0.366c41baf38e29c4b0a979cff35df4a1eed11e13e
24umbrellaks1.0.081031febc2ed49bdd8c8f7ca810830df1b0d3476
25ajax-library1.0.0326dab8f5d4dab461ca5fd14f136503d12227eae
26ajax-library1.0.12afd6730426166f061d96a8ccbfba8d8c7ed9e3e
27iconion-package1.0.073db956f7f752c4f71a8a8588604fa7d7af7de7e
28package-sidr2.2.287cb0505dbb141391103e2bd358f3aa774210a4a
29kbrstore1.0.07e14150502ee992fc8b1259de58261aeb2f58ae1
30icons-package4.4.4fb672c0b982542eeacce66be67a5bc4ff9567596
31icons-package4.4.5a386ddf8fb1d0846e01501f6fbac11e0389ef581
32icons-package2.2.2a5ad7a0edda67b7267694898a82abbee1ec7a466
33icons-package3.0.920254c86209118144e6a25fb90abea6f7c903d8e
34subek1.0.068d1c1883cfab75fa933ab08189ba7abbd2625a8
35package-show5.5.9def789dc6322255264703c00d4f4dd265a48b50e
36package-icon6.0.51a719f2efa398ef8659a401e6209377beab87105
37icons-packages7.4.0a2d25c070750cbd20f0c327980a40c26f4ea47ec
38ionicon-package9.0.3f78a57ab8e288c725e452787f3b070ec690f276b
39icons-pack7.8.36388e354433f8c608ab8a97ed9391b9dc44d2a99
40pack-icons2.4.3cda4b444744196ae9b2753830f750bc5e4548061
41package-ionicons8.0.5abb8ff44d224b23266769d0808ebe97c3838e484
42package-ionicon8.0.5c11d9aa077207adeef30cfdd9df3fe979e114b06
43footericon1.0.0067e42878df480c0d1ca45c268300c96a258be63
44footericon3.7.106dbd365e76e7cb593df86a80385e8c46ca05545
45footericon3.7.08562edf90e988f7ca556183c2f032bc307dfefdb
46footericon3.7.308bc77bb17b6a4ab365d0354683cbd912219becf
47footericon1.7.99f5f2f34f15a03c4528d6fa632899d0e3b6d1ceb
48roar-011.0.08c128c3be9645582db2fee9e64e175149d51d92c
49roar-021.0.0a1e2cb98d2aa1b134b3be04d6a720393dcf6c072
50wkwk1003.4.59f2a2001a07b92adef023ca697e4febba073728e
51swiper-bundie10.5.3b64a10493897c96feb6eda1d0c9fc7ec85506258
52ajax-libz1.0.0dd01c6baadd1d79f29b3d69a300e82b860edc57d
53swiper-bundle1.0.005d2084e1b2ce1d28c3096f16694413ec480704e
54swiper-bundle3.7.11de14d6be4029aa7888f8fc83779b61c96c063da
55swiper-bundle10.52.306cb7b1810ca1485e15fa81d92bd92533ff8c001
56swiper-bundle10.22.3fa234405c958a9ff22bac7debfbcde452294d73c
57swiper-bundle10.21.364cd1eda88f92b32323f9784aab6d1a0bdd7a38c
58ionicons-pack1.5.2fe59a8d59f6764800ce5b85f2bfbc4db05840bae
59base64-javascript3.7.277170de7458ee81382efd7de2499694a459abee3
60ionicons-js5.0.2069f9c723af8be981a3e6220b991b9c40320d8b5
61ionicons-json5.0.252a96612e3d2df0a7980de81d622da6c5ff84513
62atez1.0.0c6569dc3fd94f642cad56cb7a950175ff7c2062f

Upon further investigation, the research team said they had identified some common connections with a few user accounts like ionic-io; arpanrizki; kbrstore; and aselole and domains.

List Of malicious NPM modules With Associated Author Names And Downloaded Count:

Author / Package nameDownload count
fontsawesome
ionic-icon108
ionicio3,724
ionic-io
icon-package17,774
ajax-libs2,440
umbrellaks686
ajax-library530
arpanrizki
iconion-package101
package-sidr91
kbrstore89
icons-package380
subek99
package-show103
package-icon122
kbrstore
icons-packages170
ionicon-package64
icons-pack49
pack-icons468
ionicons-pack89
aselole
package-ionicons144
package-ionicon57
base64-javascript40
ionicons-js38
ionicons-json39
footericon
footericon1,903
ajax-libz
roar-0140
roar-0237
wkwk10038
swiper-bundie39
ajax-libz40
swiper-bundle185
atez43

IoCs Of IconBurst Campaign:

  • graph-googleapis.com
  • ionicio.com
  • curls.safhosting.xyz
  • arpanrizki.my.id
  • dnster.my.id
  • okep.renznesia.xyz
  • ryucha.my.id
  • panelllgege.001www.com
  • nge.scrp.my.id
  • apiii-xyz.yogax.my.id
  • panel.archodex.xyz
  • panel.curlz.online

We hope this post will help you know How to Protect Your NPM from the IconBurst Campaign. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.