Cryptominer and Infostealer Delivered via Hijacked Popular NPM Library
Description
FortiGuard Labs is aware of a report that a few versions of the popular Node Package Manager (NPM) library UAParser.js were hijacked and served cryptominer and infostealer to Windows to Linux platforms. The NPM library is used in apps and websites to detect the type of device or browser from User-Agent data. UAParser.js is adopted by large companies and has about six to seven million downloads every week. Because of potential impact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on October 22nd urging users with compromised versions of UAParser.js to update to benign versions.
Why is this Significant?
This is significant because UAParser.js is widely adopted by large companies around the globe and has about six to seven million weekly downloads. The compromised libraries deployed cryptominer to Linux and Windows systems. Windows systems also received infostealer to harvest user credentials. Because of potential impact, CISA published an advisory on October 22nd urging users with compromised versions of UAParser.js to update to benign versions. See Appendix for the link to "Malware Discovered in Popular NPM Package, ua-parser-js".
What is UAParser.js?
UAParser.js is a JavaScript library used to detect Browser, Engine, OS, CPU, and Device type/model information from User-Agent data.
How was UAPaser.js Hijacked?
According to the developer, "Faisal Salman," his NPM account was compromised. The compromised NPM account was used to deploy tainted versions of UAPaser.js. It is unclear how the developer's NPM account was compromised in the first place.
What Malware were Served from the Hijacked UAPaser.js?
An open-source XMrig miner that mines Monero cryptocurrency was served to both Linux and Windows systems. Windows systems also received an infostealer malware that harvests user credentials from various software such as FTP and email clients, Virtual Network Computing (VNC) and browsers that are present on the compromised machine.
Which Versions of UAPaser.js Served Malware?
The compromised versions are 0.7.29, 0.8.0, and 1.0.0.
Which Versions of Subsequent UAParser.js are Deemed Clean?
Clean version of the library that were pushed out after the incident are 0.7.30, 0.8.1, and 1.0.1.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against the available files used in the attack:
W32/GenKryptik.EONW!tr
W32/ZDlder.SBEO!tr
ELF/BitCoinMiner.HF!tr
BAT/Miner.ht!tr
Riskware/CoinMiner.PO
W32/ZDlder.SBEO!tr
JS/Zapchast.fc!tr
All Network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.
Other Mitigation?
Due to the potential impact of the issue, users of UAParser.js library are strongly recommended to check their projects for malicious software.
Windows systems with compromised versions of UAParser.js may have received an infostealer payload. As such, affected Windows users are strongly recommended to change their passwords, keys, and refresh tokens.
Appendix
Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) (ua-parser-js)
Malware Discovered in Popular NPM Package, ua-parser-js (CISA)
Embedded malware in ua-parser-js (GitHub Advisory Database)
Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor (Sophos)
UAParser.js (npm)