{"id":19009,"date":"2021-10-25T16:08:53","date_gmt":"2021-10-25T20:08:53","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/uaparser-js-infected-versions\/19009\/"},"modified":"2021-10-27T23:19:42","modified_gmt":"2021-10-27T19:19:42","slug":"uaparser-js-infected-versions","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/uaparser-js-infected-versions\/19009\/","title":{"rendered":"Popular JavaScript package UAParser.js infected with malware"},"content":{"rendered":"<p>Unknown attackers have compromised several versions of a popular JavaScript library, UAParser.js, by injecting malicious code. According to <a href=\"https:\/\/www.npmjs.com\/package\/ua-parser-js\" target=\"_blank\" rel=\"nofollow noopener\">statistics on the developers\u2019 page<\/a>, many projects use the library, which is downloaded 6 to 8 million times every week. <\/p>\n<p>The malefactors compromised three versions of the library: 0.7.29, 0.8.0, and 1.0.0. All users and administrators should update the libraries to versions 0.7.30, 0.8.1, and 1.0.1, respectively, as soon as possible.<\/p>\n<h2>What UAParser.js is, and why it is so popular<\/h2>\n<p>JavaScript developers use the UAParser.js library for parsing the User-Agent data browsers send. It is implemented on many websites and used in the software development process of various companies, including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, and more. Moreover, some software developers use third-party instruments, such as the Karma framework for code testing, which also depend on this library, further increasing the scale of the attack by adding an additional link to the supply chain.<\/p>\n<h2>Introduction of malicious code<\/h2>\n<p>Attackers embedded malicious scripts into the library to download malicious code and execute it on victims\u2019 computers, in both Linux and Windows. One module\u2019s purpose was to mine cryptocurrency. A second (for Windows only) was capable of stealing confidential information such as browser cookies, passwords, and operating system credentials.<\/p>\n<p>However, that may not be all: According to the US Cybersecurity and Infrastructure Protection Agency\u2019s (CISA\u2019s) <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/10\/22\/malware-discovered-popular-npm-package-ua-parser-js\" target=\"_blank\" rel=\"nofollow noopener\">warning<\/a>, installing compromised libraries could allow attackers to take control of infected systems.<\/p>\n<p>According to <a href=\"https:\/\/github.com\/faisalman\/ua-parser-js\/issues\/536\" target=\"_blank\" rel=\"nofollow noopener\">GitHub users<\/a>, the malware creates binary files: jsextension (in Linux) and jsextension.exe (in Windows). The presence of these files is a clear indicator of system compromise.<\/p>\n<h2>How malicious code got into the UAParser.js library<\/h2>\n<p>Faisal Salman, the developer of the UAParser.js project, <a href=\"https:\/\/github.com\/faisalman\/ua-parser-js\/issues\/536#issuecomment-949742904\" target=\"_blank\" rel=\"nofollow noopener\">stated that<\/a> an unidentified attacker got access to his account in the npm repository and published three malicious versions of the UAParser.js library. The developer immediately added a warning to the compromised packages and contacted npm support, which quickly removed the dangerous versions. However, while the packages were online, a significant number of machines could have downloaded it.<\/p>\n<p>Apparently, they were online for a little more than four hours, from 14:15 to 18:23 CET on October 22.  In the evening, the developer noticed unusual spam activity in his inbox \u2014 he said it alerted him to suspicious activity \u2014 and discovered the root cause of the problem. It is hard to know how many times the infected libraries have been downloaded during this time, but within three days from the incident their malicious code was detected by the security solutions at several dozen of our corporate clients around the world.<\/p>\n<h2>What to do if you downloaded infected libraries<\/h2>\n<p>The first step is to check computers for malware. All components of the malware used in the attack are successfully detected by our products.<\/p>\n<p>Then update your libraries to the patched versions \u2014 0.7.30, 0.8.1, and 1.0.1. However that is not enough: <a href=\"https:\/\/github.com\/advisories\/GHSA-pjwm-rvh2-c87w\" target=\"_blank\" rel=\"nofollow noopener\">According to the advisory<\/a>, any computer on which an infected version of the library was installed or executed should be considered completely compromised. Therefore, users and administrators should change all credentials that were used on those computers.<\/p>\n<p>In general, development or build environments are convenient targets for attackers trying to organize supply-chain attacks. That means such environments urgently require <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/devops-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">antimalware protection<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-top3\">\n","protected":false},"excerpt":{"rendered":"<p>Npm package UAParser.js, installed on tens of millions of computers worldwide, has been infected with a password stealer and a miner. Here&#8217;s what to do.<\/p>\n","protected":false},"author":700,"featured_media":19010,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[2514,533,1328,1429,2304,187,1758,113],"class_list":{"0":"post-19009","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-javascript","10":"tag-linux","11":"tag-macos","12":"tag-miners","13":"tag-password-stealer","14":"tag-passwords","15":"tag-supply-chain","16":"tag-windows"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/uaparser-js-infected-versions\/19009\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/uaparser-js-infected-versions\/23525\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/uaparser-js-infected-versions\/25614\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/uaparser-js-infected-versions\/23678\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/uaparser-js-infected-versions\/23186\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/uaparser-js-infected-versions\/26330\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/uaparser-js-infected-versions\/31787\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/uaparser-js-infected-versions\/10204\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/uaparser-js-infected-versions\/42700\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/uaparser-js-infected-versions\/17993\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/uaparser-js-infected-versions\/18359\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/uaparser-js-infected-versions\/15441\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/uaparser-js-infected-versions\/27646\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/uaparser-js-infected-versions\/24517\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/uaparser-js-infected-versions\/29877\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/uaparser-js-infected-versions\/29679\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/supply-chain\/","name":"supply chain"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19009","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=19009"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19009\/revisions"}],"predecessor-version":[{"id":19017,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19009\/revisions\/19017"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/19010"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=19009"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=19009"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=19009"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}