WP Recent NPM package hack is an alarming reminder of the risks of website supply-chain fraud | Imperva

Recent NPM package hack is an alarming reminder of the risks of website supply-chain fraud

Recent NPM package hack is an alarming reminder of the risks of website supply-chain fraud

There are over 1.8 billion websites online today. Almost 98% of them are powered by JavaScript, and for a good reason: JavaScript’s flexibility and portability enable the rich online functionality we’ve all come to know and love. But when that same functionality becomes a significant vector for cyberattacks, we are often reminded of the risks this poses to the website supply chain.

The incident

On Friday, October 22, a highly popular JavaScript library, UAParser.js, was compromised and then modified to inject malicious code. An analysis of this malicious code revealed extra scripts that would download and execute binaries from a remote server. The malicious code enabled the download and installation of criminal tools such as a password stealer and a cryptocurrency miner to all systems that used the compromised version of the library. Thanks to a quick response from author Faisal Salman, the library has been patched; but this incident serves as a very concerning reminder of the risks associated with JavaScript. The popularity of this library, downloaded millions of times weekly and used by some of the biggest tech giants, immediately invites the potential for billions to be at risk of data theft as well as a host of other nefarious criminal activities.

What the incident means for organizations

Web application attacks have increasingly become stepping stones to more complex attacks where attackers exploit the application to steal credentials. Attackers use the credentials to access the broader network to execute malware or exfiltrate sensitive data. In fact, according to the 2021 Verizon Data Breach Investigation Report, 20% of malware directly installed by attackers was dropped from a web application. Organizations must prepare for an era when data breaches are no longer solely a database protection issue. Data exfiltration attacks like Magecart, formjacking and other online-skimming techniques are just as much a data breach. For example, in one high-profile Magecart Attack, hackers used just 22 lines of JavaScript to steal 380,000 customer payment card details.

It’s a visibility issue

As website supply chains become more complex and opaque, it’s difficult for organizations to establish precisely how many of these integrations are running on their websites – or who owns and manages them. For many security teams, managing the client-side risk posed by JavaScript, third-party integrations and other web apps is a genuine challenge. Most organizations end up with a blind spot regarding the very services they’re supposed to protect.

What happens to the scripts that no one is using any more? Or the apps running on long-forgotten landing pages? When multiple different teams, with multiple different goals and skills are each working on the same websites and applications, it’s hardly surprising that they could be out of step. It’s safe to assume that there’s a lot of untrusted, untested code running on enterprise websites that no one knows is there – and that’s the kind of place client-side attackers thrive in.

What can you do about it?

Imperva customers utilizing Client-Side Protection in its blocking mode are protected from any data transfers to new third-party domains.

Imperva Client-Side Protection provides security teams with visibility into JavaScript services executing on your website at any given moment. It automatically scans for existing and newly added services, eliminating the risk of them being a blind-spot for security. Imperva handles the difficult part of Content-Security-Policy for your organization, making it a viable part of mitigation. The domain risk score adds a credibility rating for each service, making it easier for security to determine the nature of each service, and determine whether it should be allowed to run or not. Simplified actions let you allow approved domains while blocking unapproved ones. Client-Side Protection ensures your customers’ sensitive information doesn’t end up being transferred to unauthorized locations and that no fraudsters are exploiting your visitors.

Client-Side Protection is a part of Imperva’s Application Security Suite. Start your Application Security free trial today.