jQuery.com compromised to serve malware via drive-by download

jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, has been compromised and has been redirecting visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware.

While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users, says James Pleger, Director of Research at RiskIQ.

“The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises,” he pointed out.

“Typically, these individuals have privileged access to web properties, backend systems and other critical infrastructure. Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.”

The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain (jquery-cdn.com) that was registered on the same day, it’s more than likely that that was the day when the attack actually started.

RiskIQ researchers have immediately notified the jQuery Foundation about the compromise, and reported that “the site’s administrators were addressing the issue.”

Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.).

The good news is that there is no indication that the jQuery library itself has been affected.

UPDATE, 23 September, 10:11 PM CET Kris Borchers, Executive Director, jQuery Foundation, has sent us the following quote: “Despite significant investigation after being alerted to a potential issue, the jQuery Foundation has been unable to confirm or unearth any indication that a malicious script ever existed on our servers.”

This article was modified to reflect that statement, and to make clear that RiskIQ researchers stated that the issue was addressed by the jQuery team.

UPDATE, 24 September, 01:40 AM CET James Pleger, Director of Research at RiskIQ, had this to say about their findings: “We run crawling infrastructure that scans websites for security issues, much like a user would. During a crawl, we detected the attempt to exploit our crawler, because we save the raw content that we receive from websites that we browse, we were able to definitively determine that it came from jquery.com. We were able to verify these findings with several Fortune 100 companies as well, who had seen the jquery-cdn.com domain with a referrer of jquery.com in their proxy logs.”

This is the raw content that we saw from our crawler. On page 10, you can see the content that their server returned a page with the script tag that points to jquery-cdn.com clearly visible.”

UPDATE, 24 September, 12:30 PM CET So far the investigation has been unable to reproduce or confirm that our servers were compromised,” Ralph Whitbeck, jQuery Foundation board member, shared in a blog post. “We have not been notified by any other security firm or users of jquery.com confirming a compromise. Normally, when we have issues with jQuery infrastructure, we hear reports within minutes on Twitter, via IRC, etc.”

“Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean,” he pointed out. “Currently the only potential system compromised is the web software or server that runs jquery.com. We have asked RiskIQ to help us look through our server logs and systems to help identify when and how a compromise happened.”

UPDATE, 25 September, 18:00 PM CET The jQuery Infrastructure team said that they have received widespread reports and confirmed a compromise of jquery.com.

“This attack was aimed at defacing our sites, and did not inject malware like the attack that was reported on September 18th by RiskIQ. We believe that these are separate incidents that may have used the same attack vector,” they shared in a blog post.

“We took the site down as soon as we realized there was a compromise and cleaned the infected files. We are taking steps to re-secure our servers, upgrade dependencies, and address vulnerabilities,” they pointed out, adding later that they have moved the site to a new server only running code they trust.

“At no point today have there been reports of malware being distributed from any of our sites, nor has the code of any jQuery libraries on our website or CDN been affected or modified today or during last week’s reported attack. Some of this confusion stems from last week’s attackers having set up a domain name intended to dupe users into thinking it was the official jQuery CDN. Please note that the official domain for jQuery files hosted from our official CDN is code.jquery.com.”