The malefactors compromised three versions of the library: 0.7.29, 0.8.0, and 1.0.0. All users and administrators should update the libraries to versions 0.7.30, 0.8.1, and 1.0.1, respectively, as soon as possible.
What UAParser.js is, and why it is so popular
Introduction of malicious code
Attackers embedded malicious scripts into the library to download malicious code and execute it on victims’ computers, in both Linux and Windows. One module’s purpose was to mine cryptocurrency. A second (for Windows only) was capable of stealing confidential information such as browser cookies, passwords, and operating system credentials.
However, that may not be all: According to the US Cybersecurity and Infrastructure Protection Agency’s (CISA’s) warning, installing compromised libraries could allow attackers to take control of infected systems.
According to GitHub users, the malware creates binary files: jsextension (in Linux) and jsextension.exe (in Windows). The presence of these files is a clear indicator of system compromise.
How malicious code got into the UAParser.js library
Faisal Salman, the developer of the UAParser.js project, stated that an unidentified attacker got access to his account in the npm repository and published three malicious versions of the UAParser.js library. The developer immediately added a warning to the compromised packages and contacted npm support, which quickly removed the dangerous versions. However, while the packages were online, a significant number of machines could have downloaded it.
Apparently, they were online for a little more than four hours, from 14:15 to 18:23 CET on October 22. In the evening, the developer noticed unusual spam activity in his inbox — he said it alerted him to suspicious activity — and discovered the root cause of the problem. It is hard to know how many times the infected libraries have been downloaded during this time, but within three days from the incident their malicious code was detected by the security solutions at several dozen of our corporate clients around the world.
What to do if you downloaded infected libraries
The first step is to check computers for malware. All components of the malware used in the attack are successfully detected by our products.
Then update your libraries to the patched versions — 0.7.30, 0.8.1, and 1.0.1. However that is not enough: According to the advisory, any computer on which an infected version of the library was installed or executed should be considered completely compromised. Therefore, users and administrators should change all credentials that were used on those computers.
In general, development or build environments are convenient targets for attackers trying to organize supply-chain attacks. That means such environments urgently require antimalware protection.