A Well-Known NPM Library Was Hijacked
The UA-Parser-JS NPM Library Was Hijacked and Used to Install Password-stealers and Miners on Unsuspecting Users’ Terminals.
User-Agent data is utilized by UA-Parser-JS in applications and webpages to determine the type of device or browser a user is using. A remote attacker might gain access to sensitive information or take control of a computer or device that has the vulnerable software installed or running.
In a supply-chain assault, hackers used the popular UA-Parser-JS NPM module, which receives millions of downloads every week, to infect Linux and Windows machines with cryptominers and password-stealing trojans.
The UA-Parser-JS package parses a browser’s user agent to determine a visitor’s browser, engine, operating system, processor, and device type/model. With millions of downloads every week and over 24 million downloads so far this month, the library is extremely popular.
The library is used in over a thousand additional projects like the ones of Facebook, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and others.
A threat actor released malicious versions of the UA-Parser-JS NPM module recently, thus allowing cryptominers and password-stealing trojans to be installed on Linux and Windows systems.
According to a developer that used the library and became a victim, his NPM account was hacked and the three malicious versions of the library were deployed using it.
I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary).
I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0.
When the compromised packages are installed on a user’s device, a preinstall.js script checks the operating system and launches a Linux shell script or a Windows batch file, depending on the operating system.
As BleepingComputer explained, if the program is installed on a Linux device, a preinstall.sh script is run to see if the user is from Russia, Ukraine, Belarus, or Kazakhstan. The script will download and run the jsextension [VirusTotal] software from 159[.]148[.]186[.]228 if the device is not in one of those countries.
The jsextension software is an XMRig Monero miner that will only utilize 50% of the device’s CPU in order to avoid getting identified.
The batch file will also download and execute the XMRig Monero cryptominer for Windows devices, saving it as jsextension.exe [VirusTotal]. The batch file will also download and save a sdd.dll file [VirusTotal] from citationsherbe[.]at as create.dll.
The DLL that was downloaded is a password-stealing malware (probably DanaBot) that will attempt to steal the device’s credentials. When the DLL is loaded using the regsvr32.exe -s create.dll command, it tries to steal credentials from a range of programs, including FTP clients, VNC, chat software, email clients, and browsers.
It’s important to note that the DLL will execute a PowerShell script to steal passwords from the Windows credential manager.
Due to the widespread effect of this supply-chain assault, all users of the UA-Parser-JS library are urged to verify their projects for malicious malware.
This involves looking for and removing the files jsextension.exe (Windows) and jsextension (Linux), or if they”re using Windows, to look for a create.dll file and remove it right away.