[TheRecord] Malware found in npm package with millions of weekly downloads

A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a cryptocurrency miner on systems where the compromised versions were installed.

The incident was detected on Friday, October 22.It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.According to its official site, the library is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many of Silicon Valley’s elites.The library also regularly sees between 6 million and 7 million weekly downloads, according to its npm page.Compromised versions: 0.7.29, 0.8.0, 1.0.0Patched versions: 0.7.30, 0.8.1, 1.0.1

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” said Faisal Salman, author of the UAParser.js library.

Hours after discovering the hack, Salman pulled the compromised library versions—to prevent users from accidentally infecting themselves—and released clean ones.

Analysis of the malicious code revealed extra scripts that would download and execute binaries from a remote server. Binaries were found for both Linux and Windows platforms. Windows users reported that the Defender antivirus blocked the binaries as Trojan:Win32/Ceprolad.A.

“From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage,” a GitHub user said on Friday.

Because of the large number of downloads and the big-name corporations that relied on the library, the US Cybersecurity and Infrastructure Security Agency (CISA) also stepped in and published a security alert late Friday night about the incident, urging developers to update to the safe versions.

GitHub’s security team also took note of the incident and advised developers to more caution, urging immediate password resets and token rotations.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This marks the fourth malicious npm package found this week. On Wednesday, Sonatype also found three newly-released npm libraries that contained similar malicious code, intended to download and install a cryptocurrency miner, targeting Linux and Windows systems alike.

The post Malware found in npm package with millions of weekly downloads appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Log4j flaw: Attackers are targeting Log4Shell vulnerabilities in VMware Horizon servers, says NHS

All posts, ZDNet

NHS Digital issues an advisory urging organisations to take action to protect themselves. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ThreatPost] SquirrelWaffle Loader Malspams, Packing Qakbot, Cobalt Strike

All posts, ThreatPost

Say hello to what could be the next big spam player: SquirrelWaffle, which is spreading with increasing frequency via spam campaigns and infecting systems with a new malware loader. Source: Read More (Threatpost)

Read More

[TheRecord] The FTC wants to ban a stalkerware app maker and make it notify victims. Is that enough?

The Federal Trade Commission announced Wednesday a proposed settlement with Support King, the company behind alleged Android stalkerware app SpyFone, and its CEO Scott Zuckerman that will ban the company and Zuckerman from the surveillance business, delete data it harvested, and seek to notify victims.  “This case is an important reminder that surveillance-based businesses pose […]

Read More