A popular JavaScript library that is downloaded millions of times a week is hijacked, Windows devices are also at risk of password theft
Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) --Questions about deprecated npm packages ua-parser-js · Issue # 536 · faisalman / ua-parser-js · GitHub
https://github.com/faisalman/ua-parser-js/issues/536
Popular NPM library hijacked to install password-stealers, miners
https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/
Malware found in npm package with millions of weekly downloads --The Record by Recorded Future
https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads/
UAParser.js is a library used to parse user agent strings for visitors to your website to identify browser types, rendering engines, operating systems, CPUs, device types and models. Due to its great convenience, it is used in numerous projects including well-known companies such as Facebook, Microsoft, Amazon, Google, Instagram, Slack, Mozilla, Discord, and is downloaded millions of times a week. Is popular. According to Bleeping Computer, an IT news site, the number of downloads in October 2021 exceeded 24 million as of October 23.
However, it turned out that the new version of UAParser.js, distributed on npm on October 22, 2021, contained a Trojan horse that installed malware on downloaded Linux and Windows devices.
Faisal Salman Mr. developers bug report of the report , the 'Hello everybody, and I am sorry. When a large amount of spam e-mail from a few hundred web site has been flooded, something I noticed that has changed. Someone It seems that I hijacked my npm account and released some defective packages (0.7.29, 0.8.0, 1.0.0). This is probably malware, as you can see from the differences with previous versions. Will be installed. '
When a hacker installs a compromised UAParser.js, the preinstall.js script checks the type of OS used on the device and launches a Linux shell script or Windows batch file depending on the OS.
If the device is Linux, the preinstall.sh script will be executed to check if the user is in Russia, Ukraine, Belarus, Kazakhstan, and if not in these countries, the jsextension program will be executed. The jsextension program
If the device is Windows, in addition to saving XMRig as jsextension.exe, the batch file will download the sdd.dll file and save it as create.dll. The DLL to download is a Trojan horse that attempts to steal the password stored on the device, probably DanaBot . It has been reported that when the DLL is loaded, it steals passwords from programs such as message apps, browsers, FTP clients , VNCs , game apps, and Windows Credential Manager.
It is speculated that the hacker who made this attack is the same as the hacker who made a similar attack on other npm libraries. A few hours after noticing the hacking of his npm account, Salman released a clean version of UAParser.js (0.7.30, 0.8.1, 1.0.1) that fixed the issue. At the time of writing, the defective package '0.7.29, 0.8.0, 1.0.0' is private through npm support and is not available for download.
Bleeping Computer points out that the impact of supply chain attacks via UAParser.js is widespread and all users should check their projects for malicious versions. If jsextension or jsextension.exe exists, you should remove them, and if you are a Windows user, you should remove create.dll immediately.
Also, although it is believed that only Windows users are infected with password-stealing Trojans, it is wise for Linux users to assume that their devices are at risk. Bleeping Computer advised that all Windows and Linux users infected with Trojan horses need to change their passwords and tokens.
Related Posts: