“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” said Faisal Salman, author of the UAParser.js library.
Hours after discovering the hack, Salman pulled the compromised library versions—to prevent users from accidentally infecting themselves—and released clean ones.
Analysis of the malicious code revealed extra scripts that would download and execute binaries from a remote server. Binaries were found for both Linux and Windows platforms. Windows users reported that the Defender antivirus blocked the binaries as Trojan:Win32/Ceprolad.A.
“From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage,” a GitHub user said on Friday.
Because of the large number of downloads and the big-name corporations that relied on the library, the US Cybersecurity and Infrastructure Security Agency (CISA) also stepped in and published a security alert late Friday night about the incident, urging developers to update to the safe versions.
GitHub’s security team also took note of the incident and advised developers to more caution, urging immediate password resets and token rotations.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
This marks the fourth malicious npm package found this week. On Wednesday, Sonatype also found three newly-released npm libraries that contained similar malicious code, intended to download and install a cryptocurrency miner, targeting Linux and Windows systems alike.
The post Malware found in npm package with millions of weekly downloads appeared first on The Record by Recorded Future.
Source: Read More (The Record by Recorded Future)