A widely-utilized JavaScript library, known as art-template, has been compromised in a sophisticated supply chain attack that deployed an iOS browser exploit kit. This breach allowed malicious code to be inserted into users’ browsers, transforming typical web applications into vectors targeting Apple device users globally.
The Genesis of the Attack
The attack initiated when art-template’s npm package, initially maintained by a developer identified as ‘aui,’ was transferred to an unknown individual. Under this new management, the package was swiftly weaponized. Reports pointing out unusual behavior were deleted, and malicious versions continued to be distributed to obscure the attack from discovery.
Socket.dev’s researchers reported to Cyber Security News (CSN) that their investigation connected this operation to the Coruna exploit kit, previously documented as an iOS exploit framework. Their study, titled ‘Coruna Respawned,’ indicated that the backdoored package’s method of delivery paralleled patterns seen in the earlier framework, suggesting direct reuse or a closely related derivative.
Details of the Exploit
The compromised versions of the package rolled out an increasing series of injections across multiple updates. Version 4.13.3 concealed a loader using encoding to connect to an external domain. Subsequent versions, 4.13.5 and 4.13.6, eliminated obfuscation, embedding a plaintext script loader into the browser bundle file. As a result, any web application incorporating these versions silently executed the exploit kit in every user’s browser.
Given the package’s extensive use in JavaScript projects worldwide, the scope of exposure was significant. Developers unknowingly became conduits for a targeted mobile attack against their users, with no visible changes to alert them.
Technical Mechanisms and Mitigation
The core of the malicious activity revolves around a JavaScript implant that acts as a watering hole exploit delivery mechanic. Once deployed via the compromised npm package, it discreetly profiles each site visitor. Activation occurs only on Safari running on specific iOS versions, and it silently exits on other browsers and iOS versions above 17.2.
Upon identifying a matching device, the implant transmits the victim’s IP address, iOS version, and a tracking code to a command-and-control server every ten seconds. Anti-bot checks ensure the target is genuine before the final payload is deployed, tailored to the victim’s iOS version.
Developers are advised to audit dependency trees for art-template versions 4.13.3 to 4.13.6. Essential mitigation steps include locking dependencies, reviewing browser bundle outputs for unexpected loaders, and monitoring network requests from JavaScript applications.
The meticulous nature of the attack, marked by browser-level exploitation rather than traditional phishing, highlights the need for rigorous security scrutiny and immediate action for any application using the affected versions.
