A very popular JavaScript library (npm package) has been compromised and modified with malicious code that downloads and installs a cryptocurrency miner on the systems that run the infringed versions.
The incident was detected on Friday, October 22. It affects UAParser.js, a JavaScript library for reading information stored inside a tokenseries.
According to the library's official website it is used by many large companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit and many other Silicon Valley elites.
This library has from 6 to 7 million weekly downloads, according to the npm page.
- The violated versions are: 0.7.29, 0.8.0, 1.0.0, while the respective updates are: 0.7.30, 0.8.1, 1.0.1
"I think someone has compromised my npm account and released some compromised packages (0.7.29, 0.8.0, 1.0.0) which will most likely install malware," said Faisal Salman, author of the UAParser.js library.
A few hours after the hack was discovered, Salman removed the copied versions of the library and released them clean.
Analysis of the malicious code revealed additional scripts that would download and run binaries from a remote server. Binaries for Linux and Windows platforms were found. Windows users reported that Defender was blocking binaries like Trojan: Win32/Ceprolad.A.
Due to the large number of downloads and large companies using the library, the US Cybersecurity and Infrastructure Security Agency (CISA) intervened and issued a security warning late Friday night about the incident, urging to update to secure versions.
The GitHub security team Reported also this incident and advises developers to be very careful, urging the immediate reset of passwords.
Any computer that has this package installed or running should be considered completely compromised. The package must be removed, but since full control of the computer may have been given to an external entity, there is no guarantee that removing the package will remove all the malware.