A very popular JavaScript library (npm package) has been compromised and modified with malicious code that downloads and installs a cryptocurrency miner on the systems that run the infringed versions.
The incident was located on Friday, October 22. Affects UAParser.js, a JavaScript library for reading information stored in strings.
According to the official website of the library, it is used by many large companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit and many others from the elites of Silicon Valley.
This library has from 6 to 7 million weekly downloads, according to the npm page.
- The violated versions are: 0.7.29, 0.8.0, 1.0.0, while the respective updates are: 0.7.30, 0.8.1, 1.0.1
"I think someone has compromised my npm account and released some compromised packages (0.7.29, 0.8.0, 1.0.0) which will most likely install malware," said Faisal Salman, author of the UAParser.js library.
A few hours after the hack was discovered, Salman removed the copied versions of the library and released them clean.
Malicious code analysis revealed additional scripts that would download and run binaries from a remote server. Found binaries for Linux platforms but also for Windows. Windows users have reported that Defender blocked binaries like Trojan: Win32 / Ceprolad.A.
Due to the large number of downloads and large companies using the library, the US Cybersecurity and Infrastructure Security Agency (CISA) intervened and issued a security warning late Friday night about the incident, urging to update to secure versions.
The GitHub security team Reported also this incident and advises developers to be very careful, urging the immediate reset of passwords.
Any computer that has this package installed or running should be considered completely compromised. The package must be removed, but since full control of the computer may have been given to an external entity, there is no guarantee that removing the package will remove all the malware.