The attack is under way and the malicious scripts are still live. These two hacks were found by the Sanguine Security founder Willem de Groot which was confirmed by various other security researchers.
Alpaca Forms is an open-source project for building web forms which was originally developed by the enterprise CMS provider Cloud CMS and open-sourced eight years ago. Cloud CMS provides a free CDN (content delivery network) service for the project and it was the one that was breached by the hackers. They also modified one of the Alpaca Form scripts.
At present, the details of how hackers breached Picreel or the Cloud CMS’s Alpaca Forms CDN is not known. The malicious code logs everything which the user types inside form fields and sends the information to a server located in Panama. These includes data that users enter on checkout/payment pages, contact forms, and login sections.
The malicious code embedded in the Picreel script has been seen on 1,249 websites, while the Alpaca Forms one has been seen on 3,435 domains.
Cloud CMS has taken down the CDN that was serving the tainted Alpaca Forms script. The company has clarified that there wasn’t any security breach or security issue with Cloud CMS, its customers or its products.
These kinds of attacks called the supply-chain attacks have become common in the past two years. Hackers have nowadays started targeting smaller businesses that provide “secondary code” to the high-profile websites, and thousand others. They targeted providers of chat widgets, live support widgets, analytics companies, and more.