Home / About / Threat Intelligence / NPM Hijacked Library Infected with Malware

Overview

To save developers from reinventing the wheel every time they write a new application or piece of code, it’s very common for them to re-use existing libraries of code that perform the functions that they need.

ua-parser-js is a very popular JavaScript Library by NPM and it’s fetched around 7.5 million times per week to run on people’s devices.

Unfortunately, certain versions have been compromised and embedded with data-stealing and cryptocurrency-mining malware.

Impact

Github, which own NPM, issued the following advisory:

Any computer that has this package installed or running should be considered fully compromised.

All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed but, as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Vulnerability Detection

Check the versions of the libraries used in your code.

Affected Products

If you use ua-parser-js versions 0.7.29, 0.8.0 or 1.0.0, then you are impacted.

Containment, Mitigations & Remediations

The NPM package ua-parser-js had three versions published with malicious code. Users of affected versions should upgrade as soon as possible. Patched versions are 0.7.30, 0.8.1 and 1.0.1.

Indicators of Compromise

  • Linux miner: ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e
  • Windows miner: 7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5
  • Password stealer: 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
  • 159[.]148[.]186[.]228
  • citationsherbe[.]at
  • jsextension.exe (Windows)
  • jsextension (Linux)

Threat Landscape

This is going to be a developing story as companies and individuals who use the vulnerable versions may take time to become aware of the vulnerability and its impact. This attack is particularly effective given the potential numbers impacted and that it is effective on both Windows and Linux.

The password stealer is of the greatest concern. On Windows devices, it runs a PowerShell Script to steal passwords from the Windows Credential Manager.

While more widely, it attempts to target credentials for the following programs:

  • WinVNC, Firefox, FTP Control, Screen Saver 9x, Apple Safari, NetDrive, PC Remote Control, Remote Desktop Connection, Becky, ASP.NET Account, Cisco VPN Client, The Bat!, FreeCall, GetRight, Outlook, Vypress Auvis, FlashGet/JetCar, Eudora, CamFrog, FAR Manager FTP, Gmail Notifier, Win9x NetCache, Windows/Total Commander, Mail.Ru Agent, ICQ2003/Lite, WS_FTP, IncrediMail, “&RQ, R&Q”, CuteFTP, Group Mail Free, Yahoo! Messenger, FlashFXP, PocoMail, Digsby, FileZilla, Forte Agent, Odigo, FTP Commander, Scribe, IM2/Messenger 2, BulletProof FTP Client, POP Peeper, Google Talk, SmartFTP, Mail Commander, Faim, TurboFTP, Windows Live Mail, MySpaceIM, FFFTP, Mozilla Thunderbird, MSN Messenger, CoffeeCup FTP, SeaMonkey, Windows Live Messenger, Core FTP, Flock, Paltalk, FTP Explorer, Download Master, Excite Private Messenger, Frigate3 FTP, Internet Download Accelerator, Gizmo Project, SecureFX, IEWebCert, AIM Pro, UltraFXP, IEAutoCompletePWs, Pandion, FTPRush, VPN Accounts, Trillian Astra, WebSitePublisher, Miranda, 888Poker, BitKinex, GAIM, FullTiltPoker, ExpanDrive, Pidgin, PokerStars, Classic FTP, QIP.Online, TitanPoker, Fling, JAJC, PartyPoker, SoftX FTP Client, WebCred, CakePoker, Directory Opus, Windows Credentials, UBPoker, FTP Uploader, MuxaSoft Dialer, EType Dialer, FreeFTP/DirectFTP, FlexibleSoft Dialer, RAS Passwords, LeapFTP, Dialer Queen, Internet Explorer, WinSCP, VDialer, Chrome, 32bit FTP, Advanced Dialer, Opera, WebDrive, Windows RAS

Further Information

www.virustotal.com

Popular NPM library hijacked to install password-stealers, miners

Security issue: compromised npm packages of ua-parser-js

Embedded malware in ua-parser-js