Developer moves quickly to address vulnerabilities after his account was compromised

An NPM package with millions of weekly downloads has been speedily updated after being hijacked and armed with cryptomining and password-exfiltrating malware.

Three malicious versions of the UA-Parser-JS library, which detects a user’s browser, engine, OS, CPU, and device via their browser’s user agent, surfaced on Friday (October 22).

The deliberately introduced critical vulnerabilities were absent from newer, benign versions released by the JavaScript package’s developer a few hours later.

It is thought that the miscreants were able to embed the malware within the package after gaining access to a maintainer’s account.

Update ASAP

Developers who inadvertently downloaded malicious versions, which can execute malicious code on both Linux and Windows devices, have been urged to update their systems “as soon as possible and check their systems for suspicious activity”, reads a security advisory on GitHub.

The rogue versions are 0.7.29, 0.8.0, and 1.0.0. The issue was remediated in versions 0.7.30, 0.8.1, and 1.0.1.


Read more of the latest software supply chain attack news and analysis


Machines with the vulnerable versions “installed or running should be considered fully compromise”, warns the advisory.

“All secrets and keys stored on that computer should be rotated immediately from a different computer,” it continues.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

‘Flooded by spam’

Sabotaging UA-Parser-JS was a real coup for the attacker given its reach. The package is downloaded around eight million times a week and is used by Google, Amazon, Facebook, IBM, and Microsoft, among numerous other tech giants.

UA-Parser-JS developer Faisal Salman believes the package was hijacked after attackers compromised his NPM account.

“I noticed something unusual when my email was suddenly flooded by spam from hundreds of websites (maybe so I [didn’t] realize something was up, luckily the effect is quite the contrary),” he recounted in a bug remediation thread.

In the same thread, GitHub user @aimozg said the trojan reads browser user data files, adding that they checked ‘files written’ against their infected PC and “it does look like a script to export OS credentials and a copy of cookies DB file from Chrome”.

Based on the package’s weekly download rate and the four hours the malicious releases were available, the developer told The Daily Swig that a guesstimate for the number of malicious downloads might be in the region of 188,000.

Impersonator-turned-hijacker

The corrupted package appears to be linked to another trio of rogue NPM libraries discovered earlier in the month by researchers from DevOps automation specialist Sonatype.

One of these JavaScript packages, which impersonated legitimate libraries but in fact launched cryptominers on Windows, macOS, and Linux machines, purported to be UA-Parser-JS.

Sonatype said it alerted the NPM security team to the malicious packages on October 15 within hours of their release, and the rogue libraries were removed on the same day. The NPM account for the author who released them was also deactivated.

Sonatype said the rogue libraries were among thousands of suspicious packages – “either confirmed malicious, previously known to be malicious, or dependency confusion copycats” – that it had detected on the NPM Registry in recent weeks.

The firm’s latest annual State of the Software Supply Chain Report recently revealed that software supply chain attacks have soared by 650% year on year, surpassing 12,000 incidents over 12 months.

The Daily Swig has sent additional queries to package developer Faisal Salman. We will update this article if and when we receive a response.


DON’T FORGET TO READ Node.js sandboxes are open to prototype pollution