by nop_slide on 10/22/21, 6:02 PM with 6 comments
by flanbiscuit on 10/22/21, 8:02 PM
The compromised package: https://www.npmjs.com/package/ua-parser-js
7,680,657 downloads a week
Version 0.7.28 is still good, anything above that is compromised
> 0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.
Probably one of the biggest reasons it's downloaded so much is that it's a direct dependency of Facebook's "fbjs" package which is downloaded 5.7mil/week: https://www.npmjs.com/package/fbjs
https://github.com/facebook/fbjs/blob/main/packages/fbjs/pac...
Someone has already filed an issue: https://github.com/facebook/fbjs/issues/464
by olex on 10/22/21, 9:50 PM
Compromised (and no longer downloadable from NPM):
- 0.7.29
- 0.8.0
- 1.0.0
Clean:
- 0.7.28 (last version before the hijack)
- 0.7.30
- 0.8.1
- 1.0.1
Compromised versions apparently contained a cryptomining tool capable of running on Linux, and a trojan that extracts sensitive data (saved passwords, cookies) from browsers on Windows. Both are blocked by up-to-date Windows Defender and presumably other AV software.
by justinlilly on 10/23/21, 6:29 AM
by cyanydeez on 10/22/21, 10:26 PM