searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
October 26, 2021
Share

Popular npm package hijacked, modified to deliver cryptominers

Several versions of the npm package for UA-parser.js, a widely used JavaScript library, have been modified to include malicious code and have been made available for download.

UA-parser.js

The malicious versions check whether the device on which they have been installed runs Windows or Linux and, depending on the result, install a XMRig Monero cryptominer. Windows victims can also get saddled with a trojan that will try to steal cookies from Chrome and passwords for various browsers, email clients, FTP clients, messaging apps, dialers, VPN accounts, online poker accounts, Windows passwords, and so on.

About UA-parser.js

UA-parser.js is a JavaScript library that detects browser, engine, OS, CPU, and device type/model from User-Agent data.

The library’s lightweight npm package is extremely popular: according to the numbers on its npm registry page, it surpasses 8 million weekly downloads. Over 1,200 (often widely used) modules depend on it, and so do many big tech companies.

What happened?

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here,” Faisal Salman, the library’s developer, explained.

It didn’t take long for GitHub – the owner of npm – to react. The compromised packages were removed from the repository and a security advisory was published.

Users are advised to ugrade to one of the newer, unaffected versions – 0.7.30, 0.8.1 or 1.0.1 – and check their systems for suspicious activity.

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they advised.

Indicators of compromise are listed here.

Even though the compromise of the UA-parser.js package was detected within hours of it happening, this supply chain compromise will likely affect a number of dependent projects. According to Sonatype researcher Ax Sharma, “Other projects on GitHub were seen by Sonatype performing postmortem efforts that are yet to disclose impact.”

According to previous discoveries made by the company, the UA-parser.js compromise happened ten days after someone published three malicious packages on npm named “klow”, “klown”, and “okhsa” that also launched cryptominers on Windows, macOS and Linux machines.

“Some of these packages, e.g., klown, were seen mimicking ‘ua-parser-js’ in their structure, READMEs, and the npm page’s look-and-feel,” they noted.

UA-parser.js

Source: Sonatype

“It isn’t clear how the author of these packages aims to target developers,” the company’s researchers commented at the time. “There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. “Klow(n)” does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt.”

Now we know that the attacker likely did not stop once these packages were taken down by the npm security team, and instead (unsurprisingly) managed to compromise the real deal.




More about
  • account hijacking
  • GitHub
  • JavaScript
  • Linux
  • malware
  • open source
  • software development
  • Sonatype
  • supply chain compromise
  • Windows
Share this

Featured news

  • VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)
  • Many security engineers are already one foot out the door. Why?
  • Fix your IT weak spots to guarantee compliance
Easily migrate to the cloud with CIS Hardened Images

What's new

VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)

Many security engineers are already one foot out the door. Why?

Prioritize patching vulnerabilities associated with ransomware

46% of organizations still store passwords in shared documents

Don't miss

VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)

Many security engineers are already one foot out the door. Why?

U.S. warns of North Korean hackers posing as IT freelancers

Fix your IT weak spots to guarantee compliance

5 critical questions to test your ransomware preparedness

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • Data centers on steel wheels: Can we trust the safety of the railway infrastructure?
  • Good end user passwords begin with a well-enforced password policy
  • Keep your digital banking safe: Tips for consumers and banks
  • Is cybersecurity talent shortage a myth?

(IN)SECURE Magazine ISSUE 71 (March 2022)

  • Why security strategies need a new perspective
  • The evolution of security analytics
  • Open-source code: How to stay secure while moving fast
Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise