jQuery Migrate Library Compromised to Steal Logins via Parrot Traffic Direction System

Security researchers from the Trellix Advanced Research Centre have uncovered a sophisticated malware campaign exploiting the widely trusted jQuery Migrate library, a backward compatibility plugin used extensively in platforms like WordPress, Joomla, and Drupal.

The attack, which began with a routine URL inspection following unusual online activity, revealed a weaponized version of jquery-migrate-3.4.1.min.js.

Sophisticated Malware Hidden

This malicious script was delivered through a compromised Middle Eastern business website, demonstrating how even legitimate sources can become vectors for stealthy cyber threats.

The incident, initiated when a senior executive accessed the site, highlights the vulnerability of trusted open-source assets in the software supply chain, especially when bundled into minified or optimized files that evade easy scrutiny.

The malware was disseminated using Parrot Traffic Direction System (TDS), a notorious cybercriminal toolkit designed to filter and redirect victims to malicious payloads based on device, browser, or referrer data.

Embedded within a WordPress autoptimize cache file on the affected site (tabukchamber[.]sa), Parrot TDS covertly injected redirect code that facilitated the download of the corrupted jQuery Migrate library.

Parrot TDS: A Stealthy Delivery Mechanism

Upon analysis, researchers found an obfuscated JavaScript payload appended to the legitimate library code, employing dynamic string building, custom HTTP wrappers via XMLHttpRequest, and randomized token generation to mask its malicious intent.

According to Trellix Report, this payload, executed through the notorious eval() function, fetched remote scripts from attacker-controlled domains, making static detection nearly impossible and allowing real-time adaptation of the attack based on victim profiles.

The capabilities of this malware are deeply concerning. Once activated, it can steal sensitive data like cookies, session IDs, and localStorage contents, log keystrokes to capture credentials, and inject fake login modals or deceptive UI overlays to phish users.

It can also deploy additional threats such as cryptocurrency miners or click-fraud scripts, exfiltrate data via hidden iframes or fetch() requests, and hook into browser APIs for persistence.

The in-memory execution and lack of disk artifacts further complicate forensic analysis, leaving organizations reliant on detecting subtle network anomalies or DOM manipulations.

This incident underscores the urgent need for robust monitoring, regular audits of third-party scripts, and behavioral telemetry to identify deviations in user sessions, as attackers increasingly exploit the trust in ubiquitous libraries like jQuery to deliver devastating payloads.

Indicators of Compromise (IoCs)