A massively used JavaScript library (npm package) has been hacked and a version modified with malicious code was used worldwide to download and install a password stealer and cryptocurrency miner.
https://github.com/ faisalman/ua-parser-js/issues/536
The attacker tampered with the installation script so that the package would automatically run what appeared to be an encrypted minor during installation.
The target is UAParser.js, a JavaScript library for reading information stored inside user agent strings.
UAParser.js is a library used by Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit and many other companies.
Also, according to the npm page, this library is regularly downloaded 6 to 7 million times per week.
Faisal Salman, author of UAParser.js, commented, “I think someone has hijacked my npm account and released dangerous packages (0.7.29, 0.8.0, 1.0.0) that install malware.” He commented
A few hours after discovering the hack, Salman removed the infected version of the library to prevent users from being accidentally infected, and released a clean version.
Analyzing the code, we found a script that downloads and executes a binary from a remote server. The binaries were provided for both Linux and Windows platforms.
If you look at the command line arguments, one of them looks like a cryptominer, but this may be for camouflage
According to another user on GitHub, on Windows systems, the script downloaded and ran an infostealer Trojan (possibly a variant of the Danabot malware) that included the ability to export browser cookies, browser passwords, and OS credentials. It was downloaded and executed.
Due to the presence of major companies relying on this library, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert on this incident, urging developers to update to a secure version.
The GitHub security team has also issued its own alert in response to this incident, urging systems that use this library as part of their development process to reset passwords and rotate tokens immediately.
The computer on which this package is installed or running should be considered to be completely compromised. All passwords and keys stored on that computer should be immediately rotated from another computer.
This package should be removed, but since full control of the computer may be in the hands of an outside organization, removing the package is no guarantee that all malicious software resulting from it will be removed.
This is the fourth malicious npm package discovered, and Sonatype has discovered three newly released npm libraries targeting Linux and Windows systems that contain similar malicious code aimed at downloading and installing cryptocurrency miners. We had discovered the npm library.
You can check if you are running the appropriate version with the following command
find / -name "package-lock.json" -exec grep --color -EHni "ua-parser-js-(0.7.29|0.8.0|1.0.0)" {} \; 2>/dev/null
Comments