History with a removal of the NPM repository of three malicious packets that copied the library code uaparser.js , got an unexpected Continued – Unknown attackers captured control Over the account author’s account uaparser.js and released updates containing code for the steal of passwords and mining cryptocurrency.
The problem is that the UAPARSER.JS library, which offers the User-Agent HTTP header parsing features, has about 8 million downloads per week and is used as dependency in more than 1,200 projects. stated that uaparser.js is used in projects such as Microsoft, Amazon, Facebook, Slack, Discord, Mozilla, Apple, Protonmail, Autodesk, Reddit, Vimeo, Uber, Dell, IBM, Siemens, Oracle, HP and Verison.
Attack was performed through the hacking of the project developer account, which I understood something wrong after the unusual spam wave woven into his mailbox. How exactly the developer record was hacked not reported. Attacking formed issues 0.7.29, 0.8.0 and 1.0.0, introducing malicious code in them. For several hours, the developers returned control over the project and formed updates 0.7.30, 0.8.1 and 1.0.1 with the elimination of the problem. Malicious versions were published only in the form of packages in NPM repository . Git repository Project on GitHub was not injured. All users who have established problem versions, when detecting in Linux / MacOS file Jsextension, and in Windows files jsextension.exe and create.dll, it is recommended to consider the system compromised and change passwords on it, keys and security certificates.
Added Malicious Changes Recognized Changes previously proposed in clones Uaparser.js, which, apparently, were released for testing functionality before making a large-scale attack on the main project. On the user’s external host system loaded And the executable JSExtension file was launched, which was selected in Depending on the user platform and was prepared in options for Linux, MacOS and Windows. For the Windows platform, in addition to the MoneRo cryptocurrency program (used Mainer xmrig ) attackers were also Organized Implementation of the Create.dll library to intercept passwords and send them to an external host.
Code to download malicious components to the preinstall.sh NPM package file was Add Code
IP = $ (curl -k https://freegeoip.app/xml/ | Grep ‘ru | ua | by | kz’) if [-z “$ ip”] … Loading and Starting an executable FIF file
As can be seen from the code, the script first checked the IP address in the FreeGeoIP.app service and did not launch a malicious application for users from Russia, Ukraine, Belarus and Kazakhstan.