[TheRecord] Malware found in npm package with millions of weekly downloads

A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a cryptocurrency miner on systems where the compromised versions were installed.

The incident was detected on Friday, October 22.It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.According to its official site, the library is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many of Silicon Valley’s elites.The library also regularly sees between 6 million and 7 million weekly downloads, according to its npm page.Compromised versions: 0.7.29, 0.8.0, 1.0.0Patched versions: 0.7.30, 0.8.1, 1.0.1

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” said Faisal Salman, author of the UAParser.js library.

Hours after discovering the hack, Salman pulled the compromised library versions—to prevent users from accidentally infecting themselves—and released clean ones.

Analysis of the malicious code revealed extra scripts that would download and execute binaries from a remote server. Binaries were found for both Linux and Windows platforms. Windows users reported that the Defender antivirus blocked the binaries as Trojan:Win32/Ceprolad.A.

“From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage,” a GitHub user said on Friday.

Because of the large number of downloads and the big-name corporations that relied on the library, the US Cybersecurity and Infrastructure Security Agency (CISA) also stepped in and published a security alert late Friday night about the incident, urging developers to update to the safe versions.

GitHub’s security team also took note of the incident and advised developers to more caution, urging immediate password resets and token rotations.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This marks the fourth malicious npm package found this week. On Wednesday, Sonatype also found three newly-released npm libraries that contained similar malicious code, intended to download and install a cryptocurrency miner, targeting Linux and Windows systems alike.

The post Malware found in npm package with millions of weekly downloads appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] BillQuick Billing App Rigged to Inflict Ransomware

All posts, ThreatPost

A SQL injection bug in the BillQuick billing app has not only leaked sensitive information, it’s also let malicious actors remotely execute code and deploy ransomware. Source: Read More (Threatpost)

Read More

[HackerNews] New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

All posts, HackerNews

Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that’s being used to hijack vulnerable Windows systems by leveraging weaponized Office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is […]

Read More

Daily NCSC-FI news followup 2021-07-25

Shortcomings With Financial Market Infrastructure Companies Business Continuity And Cybersecurity Plans Need To Be Resolved www.forbes.com/sites/mayrarodriguezvalladares/2021/07/25/shortcomings-with-financial-market-infrastructure-companies-business-continuity-and-cybersecurity-plans-need-to-be-resolved/ [A report released this week] shows that it is doubtful that [financial markets infrastructure companies] business continuity plans (BCPs) are designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events and […]

Read More