Researchers discover malicious NPM packages that steal data from apps and web forms


A widespread attack on the software supply chain since at least December 2021 has targeted the NPM package manager with fraudulent modules designed to steal data entered into forms by users on websites containing it.

The coordinated attack, dubbed IconBurst by ReversingLabs, involves no less than two dozen NPM packages containing obfuscated JavaScript, which comes bundled with malicious code to collect sensitive data from forms-embedded downstream mobile applications and websites.

“These clearly malicious attacks were based on typo-squatting, a technique where attackers serve packages through public repositories with names similar to – or common misspellings of – legitimate packages,” security researcher Karlo Zanki said in a Tuesday report. “Attackers imitated high-traffic NPM modules such as umbrellas and packages published by”

The packages in question, most of which have been published in recent months, have collectively been downloaded more than 27,000 times to date. Worse, a majority of the modules remain available for download from the repository.

Some of the most malicious modules that are downloaded are listed below:

icon-package (17,774) ionicio (3,724) ajax-libs (2,440) footericon (1,903) umbrellas (686) ajax-library (530) pack-icons (468) icons-pack (380) swiper bundle (185), and icon packs (170)

In one case observed by ReversingLabs, data exfiltrated by icon package was routed to a domain called ionicio[.]com, a lookalike page designed to resemble the legitimate ionic[.]io website.

The malware authors behind the campaign have further tweaked their tactics in recent months to collect information from every form element on the web page, indicating an aggressive approach to data collection.

“The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component,” noted Zanki. “The success of this attack […] underlines the freewheeling nature of application development and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.”