Cryptomining Plug In Attack Hits Government Websites including ICO

Cryptomining Plug In Attack Hits Government Websites including ICO

Seems that users of the Browsealoud Plugin were compromised by a Crypto Mining utilitty that was digging for Moneros. Bad.

In the past 24 hours, Security researcher Scott Helme discovered that a third-party accessibility plugin called ‘Browsealoud’ had their servers compromised. The plugin relies on a website including Javascript in their content in order to work. This compromise resulted in over 4,000 websites serving up cryptomining malware.

The malware uses site visitor CPUs to mine for Monero cryptocurrency. The sites that use Browsealoud included the UK Information Commissioner’s office, UK National Health Service websites and a great many more. It is a popular but rather specialized plugin.

Texthelp is the company that makes the Browsealoud plugin. They are reporting that their product was infected for four hours, affecting sites that use the Browsealoud plugin before it was take offline. The product remains offline while they investigate.

The site that is supposed to dish out details on the frothcomming security standard GDPR was compromised. Come on guys.

Javascript Supply Chain Attacks Are Real-Time

The thing that differentiates a JS supply chain attack from other forms is that, once the attacker installs their malicious code, victims are instantly affected. No action is required by the site administrator or site visitors. Code is being loaded per visit from the compromised server and the moment a code change is made, it is active in victim browsers.

This is different from application supply chain attacks or WordPress plugin supply chain attacks. An application supply chain attack needs a compromised application to be distributed before it exploits users. Desktop or mobile users need to upgrade to the new version before they are effected. Even if an auto-update is pushed out by the attacker somehow, there will be some delay before it is effective.

A WordPress plugin supply chain attack needs site owners to update to the new compromised plugin version before it is active. Javascript supply chain attacks are instantly active and being loaded by site visitors as soon as the attacker saves the file to the distribution web server. That is why it is critically important to use SRI for all external scripts on your site.

How To Protect Your Site and Site Visitors From JS Supply Chain Attacks

There is an easy way to protect yourself against Javascript supply chain attacks using a security feature called Subresource Integrity, or SRI. If you are including javascript code from an external source using the

Normally you’ll include a script like this:

To secure your site against JS supply chain attacks, change it to:

Stay safe out there.

Subscribe To Newsletter
Be the first to get latest updates and exclusive content straight to your email inbox.
Stay Updated
Give it a try, you can unsubscribe anytime.