At the end of last week, the compromise was reported by Faisal Salman, the developer of UAParser.js.
Analysis of the malicious code revealed additional scripts that downloaded and launched binaries from a remote server. These files have been provided for both Linux and Windows.
In addition to the large-currency miner jsextension (this is the XMRig Monero miner, which will use only 50% of the device’s CPU so that it cannot be easily detected), an info-stealer Trojan (possibly a variation of Danabot malware) was also loaded on Windows systems, which is capable of stealing cookies and passwords from the browser, as well as the credentials of the OS and other applications, including FTP clients, VNC, instant messengers, email clients, and so on.
Just a few hours after the hack was discovered, Salman removed the compromised versions of the library and re-released the “clean” versions: 0.7.30, 0.8.1 and 1.0.1.
The GitHub security team has already taken note of the incident and also issued a message calling for immediate password reset and token rotation on systems where UA-Parser-JS was used as part of development processes.
Interestingly, Sonatype specialists associate the incident with another incident that took place last week. Then the researchers identified three malicious npm packages that also contained a hidden cryptocurrency miner. Sonatype now believes that the attack on UA-Parser-JS was carried out by the same attacker.
Let me remind you that we wrote that Information security specialists discovered another malicious npm package with a backdoor.
User Review( votes)