JQuery Foundation board member Ralph Whitbeck confirmed via email to Threatpost that a new compromise was under way and the organization was taking steps to mitigate.
“This one does not involve malware,” Whitbeck said. “We are working hard to lock the site down currently.”
The website’s homepage was replaced with a text message: “Common, guys! All your base are belong to us. Just please reinstall dat backdoored spenssh deamon. And all will be fine.”
Requests to Whitbeck for further information were not returned prior to publication.Whitbeck later posted a notice to the jQuery site that while the two attacks may not be related, they may have used the same attack vector.
“We took the site down as soon as we realized there was a compromise and cleaned the infected files. We are taking steps to re-secure our servers, upgrade dependencies, and address vulnerabilities,” Whitbeck said. “At no point today have there been reports of malware being distributed from any of our sites, nor has the code of any jQuery libraries on our website or CDN been affected or modified today or during last week’s reported attack.”
Yesterday, a blog post from security firm RiskIQ warned website administrators that it had detected a compromise of jQuery[.]com on Sept. 18 and said the site was redirecting visitors via a hidden iframe to websites hosting the RIG exploit kit. From there, machines were being infected with data-stealing malware.
Last night, Whitbeck said the jQuery team had not yet been able to confirm that breach.
“Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise,” Whitbeck said.
Whitbeck confirmed the jQuery team was notified by RiskIQ on the 18th, but they’ve been unable to reproduce or confirm a server compromise.
“We have not been notified by any other security firm or users of jquery.com confirming a compromise,” Whitbeck said. “Normally, when we have issues with jQuery infrastructure, we hear reports within minutes on Twitter, via IRC, etc.”
RiskIQ said none of the jQuery libraries were compromised, indicating that perhaps only the webserver running the jQuery site was infiltrated.
In its report yesterday, RiskIQ said the jquery-cdn[.]com site was still live and redirecting visitors to the RIG page.
“Some of this confusion stems from last week’s attackers having set up a domain name intended to dupe users into thinking it was the official jQuery CDN,” Whitbeck said. “Please note that the official domain for jQuery files hosted from our official CDN is code.jquery[.]com.”
RIG was discovered earlier this year and typical of other exploit kits, it targets vulnerabilities in popular applications such as Java, Adobe Flash and Microsoft’s Internet Explorer and Silverlight programs.
“It’s important to note that we did not observe any changes within the jQuery library itself, which was likely unaffected by this compromise. However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users,” RiskIQ director of research James Pleger said. “JQuery users are generally IT systems administrators and web developers, including a large contingent who work within enterprises.”
By dropping keyloggers and other malware that scoops up credentials, RiskIQ hypothesizes that the attackers are after privileged users inside the enterprise.
“Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach,” Pleger said.
This article was updated at 4 p.m. ET with comments and a link to an update from jQuery.