Popular npm package hijacked, modified to deliver cryptominers

Several versions of the npm package for UA-parser.js, a widely used JavaScript library, have been modified to include malicious code and have been made available for download.

The malicious versions check whether the device on which they have been installed runs Windows or Linux and, depending on the result, install a XMRig Monero cryptominer. Windows victims can also get saddled with a trojan that will try to steal cookies from Chrome and passwords for various browsers, email clients, FTP clients, messaging apps, dialers, VPN accounts, online poker accounts, Windows passwords, and so on.

About UA-parser.js

UA-parser.js is a JavaScript library that detects browser, engine, OS, CPU, and device type/model from User-Agent data.

The library’s lightweight npm package is extremely popular: according to the numbers on its npm registry page, it surpasses 8 million weekly downloads. Over 1,200 (often widely used) modules depend on it, and so do many big tech companies.

What happened?

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here,” Faisal Salman, the library’s developer, explained.

It didn’t take long for GitHub – the owner of npm – to react. The compromised packages were removed from the repository and a security advisory was published.

Users are advised to ugrade to one of the newer, unaffected versions – 0.7.30, 0.8.1 or 1.0.1 – and check their systems for suspicious activity.

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they advised.

Indicators of compromise are listed here.

Even though the compromise of the UA-parser.js package was detected within hours of it happening, this supply chain compromise will likely affect a number of dependent projects. According to Sonatype researcher Ax Sharma, “Other projects on GitHub were seen by Sonatype performing postmortem efforts that are yet to disclose impact.”

According to previous discoveries made by the company, the UA-parser.js compromise happened ten days after someone published three malicious packages on npm named “klow”, “klown”, and “okhsa” that also launched cryptominers on Windows, macOS and Linux machines.

“Some of these packages, e.g., klown, were seen mimicking ‘ua-parser-js’ in their structure, READMEs, and the npm page’s look-and-feel,” they noted.

Source: Sonatype

“It isn’t clear how the author of these packages aims to target developers,” the company’s researchers commented at the time. “There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. “Klow(n)” does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt.”

Now we know that the attacker likely did not stop once these packages were taken down by the npm security team, and instead (unsurprisingly) managed to compromise the real deal.