"From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage," a GitHub user said on Friday.īut on Windows systems, the scripts would also download and execute an infostealer trojan (possibly a version of the Danabot malware) that contained functionality to export browser cookies, browser passwords, and OS credentials, according to another GitHub user's findings.īecause of the large number of downloads and the big-name corporations that relied on the library, the US Cybersecurity and Infrastructure Security Agency (CISA) published a security alert late Friday night about the incident, urging developers to update to the safe versions. Binaries were provided for both Linux and Windows platforms. Hours after discovering the hack, Salman pulled the compromised library versions-to prevent users from accidentally infecting themselves-and released clean ones.Īnalysis of the malicious code revealed extra scripts that would download and execute binaries from a remote server. "I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware," said Faisal Salman, author of the UAParser.js library.
The library also regularly sees between 6 million and 7 million weekly downloads, according to its npm page.According to its official site, the library is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many of Silicon Valley's elites.It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.The incident was detected on Friday, October 22.A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a password stealer and cryptocurrency miner on systems where the compromised versions were used.
0 kommentar(er)
