Malicious actors hijacked a popular JavaScript NPM library with millions of weekly downloads to infect Windows and Linux machines with crypto-miners and password-stealing malware.
The affected library is ‘UA-Parser-JS library’ used to detect browser, engine, OS, CPU, and device type/model fr om User-Agent data. As per its official site, the library is used by companies like Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and others.
The incident took place on Friday, October 22. It appears that malicious actors hijacked the NPM account of Faisal Salman, developer of the UAParser.js library and published three malicious versions (0.7.29, 0.8.0, 1.0.0) that installed a password stealer and crypto-miner on machines wh ere the compromised packages were used.
“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my NPM account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware. I have sent a message to NPM support since I can't seem to unpublish the compromised versions so I can only deprecate them with a warning message," Faisal Salman said.
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” a warning on GitHub reads.
The issue has been addressed in versions 0.7.30, 0.8.1, and 1.0.1.