Supply-chain attack on NPM Package UAParser, which has millions of daily downloads

The U.S. CISA warned of crypto-mining malware hidden in a popular JavaScript NPM library, named UAParser.js, which has millions of weekly downloads.

The U.S. Cybersecurity and Infrastructure Security Agency published an advisory to warn of the discovery of a crypto-mining malware in the popular NPM Package UAParser.js. The popular library has million of weekly downloads.

“Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system.” reads the advisory. “CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1.”

The analysis of the experts revealed that at least three tainted versions of the package were uploaded to the repository, versions 0.7.29, 0.8.0, and 1.0.0.

According to the maintainer of the library,Faisal Salman, a threat actor has hijacked his NPM account to publish the infected packages.

“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary).” wrote the maintainer of the UAParser.js.

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0. I have sent a message to NPM support since I can’t seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message.”

The tainted versions were replaced with clean versions 0.7.30, 0.8.1, and 1.0.1.

“The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.” reads another alert published by GitHub. “Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

The CISA’s alert comes a few days after the researchers from the security firm Sonatype have uncovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository. The names of the three npm packages were klow, klown, okhsa that were installing cryptocurrency miners on both Windows or Linux platforms.

The good news is that the above packages remained on the repository only for a day before they were discovered.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UAParser)

[adrotate banner=”5″]

[adrotate banner=”13″]