Seems that users of the Browsealoud Plugin were compromised by a Crypto Mining utilitty that was digging for Moneros. Bad.
The malware uses site visitor CPUs to mine for Monero cryptocurrency. The sites that use Browsealoud included the UK Information Commissioner’s office, UK National Health Service websites and a great many more. It is a popular but rather specialized plugin.
Texthelp is the company that makes the Browsealoud plugin. They are reporting that their product was infected for four hours, affecting sites that use the Browsealoud plugin before it was take offline. The product remains offline while they investigate.
The site that is supposed to dish out details on the frothcomming security standard GDPR was compromised. Come on guys.
The thing that differentiates a JS supply chain attack from other forms is that, once the attacker installs their malicious code, victims are instantly affected. No action is required by the site administrator or site visitors. Code is being loaded per visit from the compromised server and the moment a code change is made, it is active in victim browsers.
This is different from application supply chain attacks or WordPress plugin supply chain attacks. An application supply chain attack needs a compromised application to be distributed before it exploits users. Desktop or mobile users need to upgrade to the new version before they are effected. Even if an auto-update is pushed out by the attacker somehow, there will be some delay before it is effective.
How To Protect Your Site and Site Visitors From JS Supply Chain Attacks
Normally you’ll include a script like this:
To secure your site against JS supply chain attacks, change it to:
Stay safe out there.