A very popular JavaScript library (npm package) has been compromised and modified with malicious code that downloads and installs a cryptocurrency miner on the systems that run the infringed versions.
The incident was located on Friday, October 22. Affects UAParser.js, a JavaScript library for reading information stored in strings.
According to the official website of the library, it is used by many large companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit and many others from the elites of Silicon Valley.
This library has from 6 to 7 million weekly downloads, according to the npm page.
- The violated versions are: 0.7.29, 0.8.0, 1.0.0, while the respective updates are: 0.7.30, 0.8.1, 1.0.1
"I think someone has compromised my npm account and released some compromised packages (0.7.29, 0.8.0, 1.0.0) which will most likely install malware," said Faisal Salman, author of the UAParser.js library.
A few hours after the hack was discovered, Salman removed the copied versions of the library and released them clean.
Η analysis of the malicious code revealed additional scripts that would download and run binaries from a remote server. Binaries were found for Linux platforms as well as for Windows. Windows users reported that Defender blocked binaries like Trojan: Win32/Ceprolad.A.
Λόγω του μεγάλου αριθμού λήψεων και των μεγάλων εταιρειών που χρησιμοποιούν τη βιβλιοθήκη, η Υπηρεσία Κυβερνοασφάλειας και Ασφάλειας Υποδομών των USA (CISA από το Cybersecurity and Infrastructure Security Agency) παρενέβη και δημοσίευσε μια προειδοποίηση ασφαλείας αργά το βράδυ της Παρασκευής για το περιστατικό, προτρέποντας στους προγραμματιστές να ενημερώσουν σε ασφαλείς εκδόσεις.
The GitHub security team Reported also the specific incident and advises developers to be very careful, urging to reset the codes immediately accesss.
Each computer who has installed or run this package should be considered fully hacked. The package must be removed, but since full control of the computer may have been given to an external entity, there is no guarantee that removing the package will remove all the malware.