A very popular JavaScript library (npm package) was hacked and modified with malicious code that downloads and installs a cryptocurrency miner on the systems running the hacked versions.
The incident was located on Friday, October 22. Affects UAParser.js, a JavaScript library for reading information stored in strings.
According to the official website of the library, it is used by many large companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit and many others from the elites of Silicon Valley.
This library has from 6 to 7 million weekly downloads, according to the npm page.
- The violated versions are: 0.7.29, 0.8.0, 1.0.0, while the respective updates are: 0.7.30, 0.8.1, 1.0.1
"I think someone has compromised my npm account and released some compromised packages (0.7.29, 0.8.0, 1.0.0) which will most likely install malware," said Faisal Salman, author of the UAParser.js library.
A few hours after the hack was discovered, Salman removed the copied versions of the library and released them clean.
Malicious code analysis revealed additional scripts that would download and run binaries from a remote server. Found binaries for Linux platforms but also for Windows. Windows users have reported that Defender blocked binaries like Trojan: Win32 / Ceprolad.A.
Due to the large number of downloads and large companies using the library, the US Cybersecurity and Infrastructure Security Agency (CISA from Cybersecurity and Infrastructure Security Agency) παρενέβη και δημοσίευσε μια προnotice security late Friday night about the incident, urging developers to update to secure builds.
The GitHub security team Reported also this incident and advises developers to be very careful, urging the immediate reset of passwords.
Each computers who has installed or run this package should be considered fully hacked. The package must be removed, but since full control of the computer may have been given to an external entity, there is no guarantee that removing the package will remove all the malware.
