Malware found in npm package with millions of weekly downloads

A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a cryptocurrency miner on systems where the compromised versions were installed.

  • The incident was detected on Friday, October 22.
  • It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.
  • According to its official site, the library is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many of Silicon Valley’s elites.
  • The library also regularly sees between 6 million and 7 million weekly downloads, according to its npm page.
  • Compromised versions: 0.7.29, 0.8.0, 1.0.0
  • Patched versions: 0.7.30, 0.8.1, 1.0.1

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” said Faisal Salman, author of the UAParser.js library.

Hours after discovering the hack, Salman pulled the compromised library versions—to prevent users from accidentally infecting themselves—and released clean ones.

Analysis of the malicious code revealed extra scripts that would download and execute binaries from a remote server. Binaries were found for both Linux and Windows platforms. Windows users reported that the Defender antivirus blocked the binaries as Trojan:Win32/Ceprolad.A.

“From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage,” a GitHub user said on Friday.

Because of the large number of downloads and the big-name corporations that relied on the library, the US Cybersecurity and Infrastructure Security Agency (CISA) also stepped in and published a security alert late Friday night about the incident, urging developers to update to the safe versions.

GitHub’s security team also took note of the incident and advised developers to more caution, urging immediate password resets and token rotations.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This marks the fourth malicious npm package found this week. On Wednesday, Sonatype also found three newly-released npm libraries that contained similar malicious code, intended to download and install a cryptocurrency miner, targeting Linux and Windows systems alike.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Source: Recorded Future

Leave a Reply