Popular JavaScript package UAParser.js infected with malware

Npm package UAParser.js, installed on tens of millions of computers worldwide, has been infected with a password stealer and a miner. Here’s what to do.

Unknown attackers have compromised several versions of a popular JavaScript library, UAParser.js, by injecting malicious code. According to statistics on the developers’ page, many projects use the library, which is downloaded 6 to 8 million times every week.

The malefactors compromised three versions of the library: 0.7.29, 0.8.0, and 1.0.0. All users and administrators should update the libraries to versions 0.7.30, 0.8.1, and 1.0.1, respectively, as soon as possible.

What UAParser.js is, and why it is so popular

JavaScript developers use the UAParser.js library for parsing the User-Agent data browsers send. It is implemented on many websites and used in the software development process of various companies, including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, and more. Moreover, some software developers use third-party instruments, such as the Karma framework for code testing, which also depend on this library, further increasing the scale of the attack by adding an additional link to the supply chain.

Introduction of malicious code

Attackers embedded malicious scripts into the library to download malicious code and execute it on victims’ computers, in both Linux and Windows. One module’s purpose was to mine cryptocurrency. A second (for Windows only) was capable of stealing confidential information such as browser cookies, passwords, and operating system credentials.

However, that may not be all: According to the US Cybersecurity and Infrastructure Protection Agency’s (CISA’s) warning, installing compromised libraries could allow attackers to take control of infected systems.

According to GitHub users, the malware creates binary files: jsextension (in Linux) and jsextension.exe (in Windows). The presence of these files is a clear indicator of system compromise.

How malicious code got into the UAParser.js library

Faisal Salman, the developer of the UAParser.js project, stated that an unidentified attacker got access to his account in the npm repository and published three malicious versions of the UAParser.js library. The developer immediately added a warning to the compromised packages and contacted npm support, which quickly removed the dangerous versions. However, while the packages were online, a significant number of machines could have downloaded it.

Apparently, they were online for a little more than four hours, from 14:15 to 18:23 CET on October 22. In the evening, the developer noticed unusual spam activity in his inbox — he said it alerted him to suspicious activity — and discovered the root cause of the problem. It is hard to know how many times the infected libraries have been downloaded during this time, but within three days from the incident their malicious code was detected by the security solutions at several dozen of our corporate clients around the world.

What to do if you downloaded infected libraries

The first step is to check computers for malware. All components of the malware used in the attack are successfully detected by our products.

Then update your libraries to the patched versions — 0.7.30, 0.8.1, and 1.0.1. However that is not enough: According to the advisory, any computer on which an infected version of the library was installed or executed should be considered completely compromised. Therefore, users and administrators should change all credentials that were used on those computers.

In general, development or build environments are convenient targets for attackers trying to organize supply-chain attacks. That means such environments urgently require antimalware protection.