Tomcat
Professional
- Messages
- 2,687
- Reaction score
- 1,038
- Points
- 113
The attackers hacked the npm account of the author of the UAParser.js project and published three malicious updates that download a cryptominer and steal a Trojan's passwords. Clean versions of the package are already available, it is recommended to replace it immediately.
The open source UAParser.js library that parses the User-Agent HTTP header is very popular. It is used by over 1200 projects, including products from Microsoft, Amazon, Google, Facebook, Mozilla, Apple, Dell, IBM, Siemens, Oracle, HP, MongoDB, Slack, and ProtonMail. This npm package has about 8 million weekly downloads; in October it has already been downloaded over 24 million times.
At the end of last week, three malicious updates to the UAParser.js package appeared on NPM - 0.7.29, 0.8.0 and 1.0.0. The author of the project believes that his account in the repository was hacked, and complains that he could not revoke the publication of dangerous fakes due to the policies of this repository.
Analysis carried out by BleepingComputer showed that when installing an infected version of UAParser.js on a machine, the preinstall.js script checks the type of OS used and runs either a Linux shell script or a Windows bat file.
On Linux devices, the malware also checks the location of the victim; if she lives in Russia, Ukraine, Belarus or Kazakhstan, the scenario is terminated. In other cases, the XMRig miner (jsextension file) is loaded and launched, which uses only 50% of the CPU power to avoid detection.
A cryptominer is also loaded on Windows machines (saved under the name jsextension.exe). In addition, the bat file downloads the malicious sdd.dll library (saved as create.dll), a Trojan capable of stealing passwords from browsers, instant messengers, email, FTP, VNC clients, as well as the Windows Credential Manager. According to experts, this is a variant of the well-known DanaBot.
The UAParser.js developers took back control of the project in a few hours and released clean versions 0.7.30, 0.8.1 and 1.0.1. According to an alert on the GitHub website, those who installed the malicious package are advised to update as soon as possible and check the system for suspicious activity. All passwords, keys, and security certificates should be replaced using a different computer.
The researchers believe that the creator of the malicious fakes is the same person who posted similar UAParser.js clones on NPM a week earlier. Malicious packages were quickly detected and removed, and the corresponding account was closed.
