Skip to content

UAParser.js NPM package infected with malware

  • by
  • 2 min read

A rather popular Javascript library called UAParser.js was infected with malware by its author Faisal Salman last Friday. The library was hacked and modified with malicious code that downloads and installs a password stealer alongside a cryptocurrency miner on systems with compromised versions.

According to the library’s author, “I believe someone was hijacking my npm account and published some compromised packages which will probably install malware.” Hours after discovering the hack, Salman pulled the compromised versions and replaced them with patched ones. 

At the time of writing, the library has had 7,899,915 weekly downloads and is used by some of the biggest Silicon Valley giants. 

In the News: Android apps come to Windows 11


Big download numbers equals big threat potential

Further analysis of the malicious code revealed extra scripts that can download and execute binaries from a remote server. These binaries were provided for both Windows and Linux. According to a Github user named KalleOlaviNeimitalo, version 0.7.29 included these scripts. From the command-line arguments, it looks like one of them is a crypto miner, but there’s a good chance that it might just be for camouflage. 

Furthermore, these scripts can also download and install a trojan that can export browser cookies, passwords, and OS credentials on Windows systems. This is an infostealer trojan that’s possibly a version of the Danabot malware found by another Github user

This is an image of malware cybersecurity 139234

Since the library is used by several big corporations, including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many independent developers in general, even CISA has released a notification regarding the vulnerability. The Github Advisory Database has also documented the malware and assigned it the CWE-506 ID.

As of right now, the compromised versions are 0.7.29, 0.8.0 and 1.0.0, which have been replaced with the following patched versions — 0.7.30, 0.8.1, 1.0.1.

In the News: Twitter Spaces is now available to everyone

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>