ua-parser-js icon indicating copy to clipboard operation
ua-parser-js copied to clipboard

Published 20 hours ago verified publisher icon faisalman

Add security advise to Readme.MD refering to malwared releases

Open chris-aeviator opened this issue 2 years ago • 3 comments

I was informed about the malicious code being shipped with UA Parser (https://github.com/faisalman/ua-parser-js/issues/536) via a (German) Newsblog around Technology. When looking at the readme of ua-parser-js and especially at npmjs, I'm not informed that this has happened, and would have not found any reason to become active into checking my system.

Since UA Parser might be used in many production instances/ systems, I kindly ask @faisalman to increase his responsibility in this security issue by raising the awareness for the affected users significantly.

This can be accomplishide IMO with a ⚠️⚠️⚠️ BIG WARNING ⚠️⚠️⚠️ in the readme, that advices on

  • howto detect if a user is affected (e.g. npm list | grep ua-parser-js )
  • what is the treat to their system
  • what are the neccessary steps to make sure the system is free of malware

In certain legislations/ industries usage of a compromised package might lead to legal consequences if a company does not act timely and the info being hidden inside an issue is insuficcient in my view.

chris-aeviator avatar Oct 25 '21 07:10 chris-aeviator

Github also has a Security Advisory tab where this information could be published https://github.com/faisalman/ua-parser-js/security/advisories

ghost avatar Oct 25 '21 09:10 ghost

running npm list returns only the first level of packages, but ua-parser-js may be a sub dependency

@chris-aeviator you should run npm list ua-parser-js to find if any dependency in your projects depend on ua-parser-js

CMendy avatar Oct 27 '21 16:10 CMendy

Any update?

chris-aeviator avatar Nov 05 '21 05:11 chris-aeviator