Parrot Traffic System Exploits jQuery Migrate Library to Steal Logins Without Detection

Security researchers from the Trellix Advanced Research Centre uncovered a disturbing new attack vector where cybercriminals are leveraging the Parrot Traffic Direction System (TDS) to distribute malware through the widely used jQuery Migrate library.

The incident began when an enterprise executive accessed what appeared to be a legitimate Middle Eastern business site—tabukchamber[.]sa—only for their browser to silently download and execute a weaponized version of the popular JavaScript library, jquery-migrate-3.4.1.min.js.

Once on the compromised WordPress site, the attacker abused the Autoptimize plugin’s caching mechanism.

This plugin, designed to optimize web performance by aggregating and minifying frontend assets, became the delivery point for the Parrot TDS infection.

The malware was embedded within a tampered cache file, making detection even more challenging as the file originated from a trusted domain.

The clever use of Parrot TDS ensured that only “valid” targets, such as real users and not bots, received the malicious payload, thus evading automated detection systems and static scanners.

Inside the Attack: Obfuscation, Dynamic Loading, and Remote Execution

At its core, the attack relied on advanced code obfuscation techniques. The original, official jQuery Migrate library was appended with a sizable block of obfuscated JavaScript at the end, camouflaged among thousands of legitimate lines of code.

This payload utilized an array-based string builder, dynamically reconstructing keywords and URLs to evade detection, while employing a custom HTTP wrapper around XMLHttpRequest to send data discreetly.

A unique randomized token was generated for each user session, ensuring every infected request appeared unique and evaded static signature-based defenses.

The real danger lay in the payload’s remote-execution capability: the malware issued GET requests to attacker-controlled domains, fetching additional JavaScript dynamically and executing it using the eval() function.

This approach made forensic analysis challenging, as little to no evidence remained on disk, and most malicious actions occurred in memory.

Capabilities and Consequences: Versatile, Evasive, and Devastating

Once executed, the malicious code could perform a range of harmful actions, tailored to the attacker’s needs.

These included stealing cookies, session IDs, and tokens directly from the browser, potentially granting full access to a user’s account.

The malware could also log keystrokes, harvest data from localStorage and sessionStorage, and inject deceptive login forms or phishing overlays to trick users into divulging sensitive information.

It could further exfiltrate stolen data via image-based GET requests or hidden iframes, deploy cryptocurrency miners, or hijack user interactions for click fraud.

Mitigation and Calls to Action

Trellix recommends immediate removal and replacement of all third-party libraries from verified sources, along with purging and rebuilding asset pipelines.

Organizations should enforce strict Content Security Policies (CSP) and enable Subresource Integrity (SRI) checks.

Additionally, force logouts for potentially affected users, revoke compromised tokens, and conduct thorough audits of frontend assets for appended obfuscated code and unusual eval() calls.

This attack highlights the increasing sophistication of supply chain attacks and underscores the urgent need for continuous monitoring and robust security measures at the front end, particularly for widely used platforms like WordPress.

By blending malware into trusted scripts and utilizing advanced traffic filtering, attackers can infect victims with little chance of detection a sobering reminder that no library, no matter how trusted, should be left unverified.

Indicators of compromise (IoCs)