Malware found in npm package with millions of weekly downloads

A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a password stealer and cryptocurrency miner on systems where the compromised versions were used.

  • The incident was detected on Friday, October 22.
  • It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.
  • According to its official site, the library is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many of Silicon Valley's elites.
  • The library also regularly sees between 6 million and 7 million weekly downloads, according to its npm page.
  • Compromised versions: 0.7.29, 0.8.0, 1.0.0
  • Patched versions: 0.7.30, 0.8.1, 1.0.1

"I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware," said Faisal Salman, author of the UAParser.js library.

Hours after discovering the hack, Salman pulled the compromised library versions—to prevent users from accidentally infecting themselves—and released clean ones.

Analysis of the malicious code revealed extra scripts that would download and execute binaries from a remote server. Binaries were provided for both Linux and Windows platforms.

"From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage," a GitHub user said on Friday.

But on Windows systems, the scripts would also download and execute an infostealer trojan (possibly a version of the Danabot malware) that contained functionality to export browser cookies, browser passwords, and OS credentials, according to another GitHub user's findings.

Because of the large number of downloads and the big-name corporations that relied on the library, the US Cybersecurity and Infrastructure Security Agency (CISA) published a security alert late Friday night about the incident, urging developers to update to the safe versions.

GitHub's security team also took note of the incident and issued its own adviory, urging immediate password resets and token rotations from systems where the library was used part of development processes.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This marks the fourth malicious npm package found this week. On Wednesday, Sonatype also found three newly-released npm libraries that contained similar malicious code, intended to download and install a cryptocurrency miner, targeting Linux and Windows systems alike.

Article updated at 13:30pm, October 23, to add that a password-stealing trojan was also discovered inside the compromised library.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.