A very popular JavaScript library (npm package) has been compromised and modified with malicious code that downloads and installs a cryptocurrency miner on the systems that run the infringed versions.
The incident was located on Friday, October 22. Affects UAParser.js, a JavaScript library for reading information stored in strings.
According to the library's official website it is used by many majors Companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit and many more of Silicon Valley's elite.
This library has from 6 to 7 million weekly downloads, according to the npm page.
- The violated versions are: 0.7.29, 0.8.0, 1.0.0, while the respective updates are: 0.7.30, 0.8.1, 1.0.1
"I think someone has compromised my npm account and released some compromised packages (0.7.29, 0.8.0, 1.0.0) which will most likely install malware," said Faisal Salman, author of the UAParser.js library.
A few hours after the hack was discovered, Salman removed the copied versions of the library and released them clean.
Malicious code analysis revealed additional scripts that would download and run binaries from a remote server. Found binaries for Linux platforms but also for Windows. Windows users have reported that Defender blocked binaries like Trojan: Win32 / Ceprolad.A.
Due to the large number of downloads and large companies using the library, the US Cybersecurity and Infrastructure Security Agency (CISA) intervened and issued a security warning late Friday night about the incident, urging to update to secure versions.
The GitHub security team Reported also the specific incident and advises developers to be very careful, urging to reset the codes immediately access.
Each computerς που έχει εγκαταστήσει ή τρέχει αυτό το πακέτο θα πρέπει να θεωρείται πλήρως παραβιασμένος. Το πακέτο πρέπει να αφαιρεθεί, αλλά καθώς ο πλήρης control of the computer may have been given to some external entity, there is no guarantee that removing the package will remove all malware.
