Backdoored art-template npm Package Turns Websites into iOS Exploit Delivery Points

The Supply Chain Attack

A widely used JavaScript templating library called art-template was compromised in a supply chain attack, transforming legitimate web applications into watering holes targeting Apple device owners. The npm package, originally maintained by a developer known as “aui,” was transferred to an unknown actor under the guise of ongoing maintenance. Shortly after the handover, the new controller began injecting malicious code into the package.

Contents

The Supply Chain Attack Impact and Scope

Researchers at Socket.dev identified the campaign and linked it to a previously documented iOS exploit framework called the Coruna exploit kit. Their analysis revealed that the malicious implant inside the backdoored package closely mirrored delivery patterns from that earlier framework, suggesting direct reuse or a near identical derivative. Issue reports flagging suspicious behavior were quietly deleted while the attacker continued pushing malicious versions to suppress discovery.

Impact and Scope

The backdoored versions followed an escalating injection pattern across multiple releases. Version 4.13.3 used encoding to hide a loader pointing to a suspicious external domain. Versions 4.13.5 and 4.13.6 dropped the obfuscation entirely and injected a plaintext script loader directly into the package’s browser bundle file. Any web application that included those versions would silently load and execute the exploit kit in every visitor’s browser.

The core of the attack is a JavaScript implant that functions as a watering hole exploit delivery framework. Once injected through the compromised npm package, it fingerprints each site visitor. The implant only activates on Safari running on iOS 11.0 through 17.2, and silently exits on Chrome, Firefox, Edge, Android, and iOS 17.3 or higher. Given how widely the package was used across JavaScript projects globally, the scale of exposure is significant. Developers who unknowingly bundled the affected versions became unwitting delivery vehicles for a targeted mobile attack against their own users, with no visible sign that anything had changed.

Source: Cyber Security News

Backdoored art-template npm Package Turns Websites into iOS Exploit Delivery Points

The compromised art-template npm package silently injected a Coruna exploit kit into web applications, targeting iOS users with a watering hole attack that fingerprints visitors before activating only on specific Apple devices.

The Supply Chain Attack

Impact and Scope

Trending

Trend Micro Apex One Directory Traversal Flaw Actively Exploited in Targeted Attacks

Google Accidentally Publishes Details of Unfixed Chromium Bug Allowing Silent JavaScript Execution

Unlocking Hidden Attack Surface: Testing Windows Drivers Without Their Hardware

International Operation Shuts Down VPN Service Used by Two Dozen Ransomware Groups

Anthropic’s Claude Mythos AI Uncovers Thousands of Critical Flaws in Key Software

Related Stories

APT Groups Exploit Gaming Platforms and Debug APIs in Multi Vector Cyber Campaigns

Two-Decade-Old PostgresSQL Flaw Now Targeted by Public Exploit Code

Plex Urges Password Resets After Latest Data Breach Exposes User Credentials

Threat Actors Weaponize Trusted Cloud Service to Steal Data from Malaysian Agencies