Versions of popular NPM package UA-Parser-JS were found to contain malicious code

The NPM package UA-Parser-JS

Three versions of the popular ua-parser-js NPM package used in many apps and webpages were recently hijacked and repurposed for data exclusion and crypto mining activities.

Image 2021 10 26 133852

The UA-Parser-JS Malware

The ua-parser-js package, under normal circumstances, is used to detect the OS, CPU, browser, engine, and device of the user through their browser’s agent. However, after getting hijacked and armed with malware, the three compromised versions of the package pose a serious threat to devices that have any of the package versions installed on them.

JavaScript has taken emergency countermeasures by releasing new ua-parser-js versions to patch out the vulnerabilities of the compromised package versions.

It’s theorized that the likely cause of the hijacking of the affected ua-parser-js versions is that the threat actors have gained access to the account of an ua-parser-js maintainer.

The UA-Parser-JS Vulnerability

Software and webpage developers who have downloaded the compromised package versions are urged to immediately update their systems to the latest ua-parser-js version (as those are exempt from the exploited vulnerabilities) and also check their systems for any signs of malicious activity.

The compromised ua-parser-js versions are 0.7.29, 0.8.0, and 1.0.0, and the versions in which the exploited vulnerabilities have been patched out are 0.7.30, 0.8.1, and 1.0.1.

According to a GitHub advisory that addresses this issue, any device that has either of the hijacked ua-parser-js versions should be regarded as fully compromised. The advisory recommends that any secrets and keys that are stored on the compromised device should be rotated with the help of another device that’s unaffected. Also, developers need to immediately remove the infected packages. However, since the true extent of this malware campaign is yet to be revealed and since outside entities may have already gained remote access to and control over the device, deleting the compromised package doesn’t guarantee that all malicious software would get removed.

Attack on the account of the ua-parser-js developer

The ua-parser-js package receives around eight million downloads every week and is used by companies such as Microsoft, Google, Facebook, and Amazon, among others.

According to Faisal Salman, the developer of ua-parser-js, the package has likely been hijacked after the threat actors have broken into his NPM account.

He states in a GitHub thread that he noticed that his email suddenly started getting flooded by spam letters coming from different sites. Faisal Salman assumes that the purpose of the spam letters was to distract him from the actual problem and make it, so he doesn’t become suspicious of anything, but, as it turns out, the letters had the contrary effect.

A user who goes by the @aimozg name commented on the same thread that the Trojan reads data files of the user’s browser and likely aims to extract OS credentials and cookies DB file copies from the Chrome browser.

Based on the average number of weekly downloads that the package receives and the period of four hours during which the malware was spreading freely before countermeasures were taken, it has been estimated that the likely approximate number of infected downloads should be around 188, 000.

An abundance of rogue impersonator libraries

Further research conducted by DevOps researchers suggests that the compromised package may be linked to a different set of three hijacked NPM libraries that were also discovered this month.

One of that other tree compromised packages is reported to mimic legitimate libraries and falsely claim to be ua-parser-js with the goal to secretly launch cryptocurrency-mining scripts on macOS, Linux, and Windows systems.

The Sonatype software company states that it has alerted the NPM security about the malicious NPM packages earlier this month, on the 15th of October, just a couple of hours after the packages’ release, which resulted in the removal of those libraries. In addition, the NPM account of the libraries’ creator was deactivated.

According to Sonatype, the detected rogue libraries were one of the thousands of potentially threatening libraries detected by the company in the past few weeks.

The latest State of the Software Supply Chain Report by the company shows that there have been over 12, 000 software supply chain attacks for a period of 12 months, which is an increase of 650% compared to the previous 12-month period.


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment