Embedded malware discovered in NPM package ua-parser-js

Embedded malware has been discovered in an NPM package ua-parser-js, a popular JavaScript library designed to detect browser, engine, OS, CPU, and device type/model from User-Agent data.

The ua-parser-js can be used in either a browser (client-side) or node.js (server-side).

Details on the issue was posted on GitHub Advisory Database on October 22, 2021:

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”
GitHub

Affected ua-parser-js versions include: 0.7.29, 0.8.0, and 1.0.0.

Users are recommended to update to the appropriate patched versions: 0.7.30, 0.8.1, or 1.0.1.

Code author Faisal Salman added more details and responded to numerous questions on the deprecated npm package ua-parser-js also on GitHub (Issue #536).

“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary),” Faisal wrote in a post.

“I believe someone was hijacking my npm account and published some compromised packages.”

Another user ‘alex-drocks’ also provided details on October 26 on how his system got compromised.

“My Win 10 dev box got compromised on Friday (I’m in the process of wiping it completely clean now). For what I know only jsextension.exe run, but I got a shortcut placed in the Start Menu’s Startup folder trying to run create.dll with rundll32.exe.”

Multiple GitHub users also recommended everyone who publishes to NPM should activate two-factor authentication protection.

Related Articles