Hackers have breached analytics service Picreel and open-source project Alpaca Forms and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites, security researchers have told
ZDNet.
The attack is ongoing, and the malicious scripts are still live, at the time of this article's publishing.
Both hacks have been
spotted by Sanguine Security founder Willem de Groot earlier today and confirmed by several other security researchers.
Picreel is an analytics service that allows site owners to record what users are doing and how they're interacting with a website to analyze behavioral patterns and boost conversation rates. Picreel customers --website owners-- are supposed to embed a piece of JavaScript code on their sites to allow Picreel to do its job. It's this script that hackers have compromised to add malicious code.
Alpaca Forms is an open-source project for building web forms. It was initially developed by the enterprise CMS provider Cloud CMS and open-sourced eight years ago. Cloud CMS still provides a free CDN (content delivery network) service for the project. Hackers appear to have breached this Cloud CMS-managed CDN and modified one of the Alpaca Form scripts.
