Attackers hacked the UA-Parser-JS npm package, which is downloaded millions of times weekly

hacked UA-Parser-JS
Written by Emma Davis

The hackers broke into the popular UA-Parser-JS npm (JavaScript library) and injected malicious code that downloaded and installed a password stealing tool and cryptocurrency miner on users’ systems.

UA-Parser-JS is an extremely popular solution that is downloaded millions of times a week, according to npm statistics (over 24 million downloads this month alone). According to the official site, the library is used by companies like Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and so on.

At the end of last week, the compromise was reported by Faisal Salman, the developer of UAParser.js.

I noticed something unusual when my email was suddenly flooded with spam from hundreds of sites (this was probably done to prevent me from noticing that something was happening, but luckily the effect was just the opposite). I believe someone hacked my npm account and published a number of compromised packages (versions 0.7.29, 0.8.0, 1.0.0) that probably install malware.he wrote.

Analysis of the malicious code revealed additional scripts that downloaded and launched binaries from a remote server. These files have been provided for both Linux and Windows.

Faisal Salman

Faisal Salman

In addition to the large-currency miner jsextension (this is the XMRig Monero miner, which will use only 50% of the device’s CPU so that it cannot be easily detected), an info-stealer Trojan (possibly a variation of Danabot malware) was also loaded on Windows systems, which is capable of stealing cookies and passwords from the browser, as well as the credentials of the OS and other applications, including FTP clients, VNC, instant messengers, email clients, and so on.

Just a few hours after the hack was discovered, Salman removed the compromised versions of the library and re-released the “clean” versions: 0.7.30, 0.8.1 and 1.0.1.

The GitHub security team has already taken note of the incident and also issued a message calling for immediate password reset and token rotation on systems where UA-Parser-JS was used as part of development processes.

Interestingly, Sonatype specialists associate the incident with another incident that took place last week. Then the researchers identified three malicious npm packages that also contained a hidden cryptocurrency miner. Sonatype now believes that the attack on UA-Parser-JS was carried out by the same attacker.

Let me remind you that we wrote that Information security specialists discovered another malicious npm package with a backdoor.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply