The Hacker News Logo
Subscribe to Newsletter

jQuery Official Website Compromised To Serve Malware

jQuery.com Compromised To Serve Malware and RIG exploit kit
The official website of the popular cross-platform JavaScript library jQuery (jquery.com) has been compromised and redirecting its visitors to a third-party website hosting the RIG exploit kit, in order to distribute information-stealing malware.

JQuery is a free and open source JavaScript library designed to simplify the client-side scripting of HTML. It is used to build AJAX applications and other dynamic content easily. The popular JavaScript library is used by 30 percent of websites, including 70 percent of the top 10,000 most visited websites.

James Pleger, Director of Research at Risk management software company RiskIQ, reported yesterday that the attack against jQuery.com web servers launched for a short period of time on the afternoon of September 18th.

So, the users who visited the website on September 18th may have infected their system with data-stealing malware by redirecting users to the website hosting RIG. Pleger urged those who visited the site during the alleged attack to re-image their systems, reset passwords for user accounts that have been used on the systems, and also look for any suspicious activity if originated from the offending system or not.
"However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users [who are] generally IT systems administrators and web developers, including a large contingent who work within enterprises," Pleger wrote.
Cyber criminals discovered a loophole in the jQuery website’s web properties, backend systems, or other critical infrastructure and injected malicious JavaScript that redirects victims.
jQuery.com Compromised To Serve Malware and RIG exploit kit

jQuery.com Compromised To Serve Malware and RIG exploit kit
The RIG exploit kit is often used to deliver banking Trojans and other information-stealing malware. The researcher said he detected malware on compromised machines that steals credentials and other data.
"Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach."
RiskIQ researchers have immediately notified the jQuery Foundation about the issue. But in response, jQuery Foundation said that their internal investigation into the servers and logs didn't find the RIG exploit kit or evidence that there was a compromise.

The Rig Exploit Kit was first spotted in April this year, which checks for an un-patched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors. It was also used to distribute Cryptowall Ransomware back in June.

UPDATE
In an official blog post, Ralph Whitbeck from jQuery.com commented about RiskIQ findings:
"Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise."
But Yes, "Currently the only potential system compromised is the web software or server that runs jquery.com." and "At no time have the hosted jQuery libraries been compromised."
"Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean." he added.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.