The library has millions of downloads a week and this month alone, it had over 24 million downloads. It is used in various popular projects, including those by Facebook, Microsoft, Google, Slack, Amazon, Instagram, Mozilla, Discord, Elastic, Intuit, Reddit, and many more companies.
The threat actor published malicious versions of the UA-Parser-JS NPM library on October 22nd. Three different versions of the open-source library were published (0.7.29, 0.8.0, and 1.0.0), which were designed to trick users into installing a malicious package.
“I believe someone was hijacking my NPM account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” UAParser.js’s developer Faisal Salman said.
For Windows and Linux devices, the malicious jsextension file will download the XMRig Monero cryptominer, save it as jsextension.exe [VirusTotal], and execute it. In addition, the batch file downloads an sdd.dll file, which is a password-stealing trojan (possibly DanaBot).
Reportedly, the issue has been patched in versions 0.7.30, 0.8.1, and 1.0.1 respectfully.
This flaw comes after the news about the three malicious NPM packages – okhsa, klow, and klown – that could allow attackers to mine cryptocurrency on victims’ machines.
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” GitHub noted in an independent alert. “The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”
All users of the UA-Parser-JS library are advised to check their projects for malicious software and should also change their passwords and keys, and refresh tokens.