Jump to content

UAParser.js package infected with password stealer and miner


Recommended Posts

Unknown attackers have compromised several versions of a popular JavaScript library, UAParser.js, by injecting malicious code. According to statistics on the developers’ page, many projects use the library, which is downloaded 6 to 8 million times every week. Thus, this supply-chain attack is one of the largest ever known.

The malefactors compromised three versions of the library: 0.7.29, 0.8.0, and 1.0.0. All users and administrators should update the libraries to versions 0.7.30, 0.8.1, and 1.0.1, respectively, as soon as possible.

What UAParser.js is, and why it is so popular

JavaScript developers use the UAParser.js library for parsing the User-Agent data browsers send. It is implemented on many websites and used in the software development process of various companies, including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, and more. Moreover, some software developers use third-party instruments, such as the Karma framework for code testing, which also depend on this library, further increasing the scale of the attack by adding an additional link to the supply chain.

Introduction of malicious code

Attackers embedded malicious scripts into the library to download malicious code and execute it on victims’ computers, in both Linux and Windows. One module’s purpose was to mine cryptocurrency. A second was capable of stealing confidential information such as browser cookies, passwords, and operating system credentials.

However, that may not be all: According to the US Cybersecurity and Infrastructure Protection Agency’s (CISA’s) warning, installing compromised libraries could allow attackers to take control of infected systems.

According to GitHub users, the malware creates binary files: jsextension (in Linux) and jsextension.exe (in Windows). The presence of these files is a clear indicator of system compromise.

How malicious code got into the UAParser.js library

Faisal Salman, the developer of the UAParser.js project, stated that an unidentified attacker got access to his account in the npm repository and published three malicious versions of the UAParser.js library. The developer immediately added a warning to the compromised packages and contacted npm support, which quickly removed the dangerous versions. However, while the packages were online, a significant number of machines could have downloaded it.

Apparently, they were online for a little more than four hours, from 14:15 to 18:23 CET on October 22. In the evening, the developer noticed unusual spam activity in his inbox — he said it alerted him to suspicious activity — and discovered the root cause of the problem.

What to do if you downloaded infected libraries

If you have bad versions already, immediately update your libraries to the patched versions — 0.7.30, 0.8.1, and 1.0.1. However that is not enough: According to the advisory, any computer on which an infected version of the library was installed or executed should be considered completely compromised. Therefore, users and administrators should change all credentials that were used on those computers.

In general, development or build environments are convenient targets for attackers trying to organize supply-chain attacks. That means such environments urgently require antimalware protection.

View the full article

Link to comment
Share on other sites


  • Create New...