See also large-scale open source software supply chain hijacking, where attackers issue mining and secret stealing Trojans, or affect over one million users and a large number of downstream projects.
On October 22, the popular NPM package UA-Parser-JS, which was downloaded millions of times a week, was hijacked by hackers, resulting in the infection of a large number of Windows and Linux devices with cryptocurrency mining software and password-stealing Trojans.
UA-Parser-JS can be used to parse the user agent of the browser, and can identify the browser, engine, operating system, CPU, and device type/model used by the visitor.
The project is hugely popular, with millions of downloads per week and over 24 million total downloads this month. In addition, the package is used in more than a thousand other projects, including Facebook, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit and many more.
Shortly afterwards (October 22), the US Cybersecurity and Infrastructure Security Agency issued an alert and found malware in the popular NPM package UA-Parser-JS, urging users to hurry up and update.
The UA-Parser-JS project was hijacked to spread malware
On October 22, attackers began distributing malicious versions of the UA-Parser-JS NPM package in an attempt to install cryptocurrency mining software and password-stealing Trojans on numerous Linux and Windows devices.
Some developers said that their NPM accounts were hijacked, and the attackers successively deployed three malicious versions.
UA-Parser-JS developer Faisal Salman explained in the bug report, “When my mailbox was suddenly engulfed in spam from hundreds of websites, I knew right away that something must have gone wrong (if not, I might have I didn’t notice the emergence of the problem, but fortunately there was a lot of noise).”
“I believe someone hijacked my npm account and released infected packages (0.7.29, 0.8.0, 1.0.0). These packages may install malware, see the code diff for the difference. “
The affected versions and the patch-fixed versions are:
Malicious version
fix version
0.7.29
0.7.30
0.8.0
0.8.1
1.0.0
1.0.1
Through the malicious version shared by open source security vendor Sonatyp, we can better understand the entire flow of this attack.
When an infected package is installed on a user’s device, the preinstall.js script in it checks the type of operating system used on the device and launches a Linux shell script or Windows batch file.
preinstall.js script to check OS type
If the package is installed on a Linux device, execute the preinstall.sh script to check if the user is located in Russia, Ukraine, Belarus and Kazakhstan. If not in these countries, the script will start from 159[.]148[.]186[.]Download the jsextension program at 228 and execute it.
The jsextension program is an XMRig Moero mining software. To avoid being quickly detected, it will only use 50% of the device CPU’s computing power.
Linux shell script to install mining software
For Windows devices, the batch file also downloads the XMRig Monero mining software and saves it as jsextension.exe for execution. Also, the batch file will be downloaded from citationsherbe[.]Download a sdd.dll file at at and save it as create.dll.
Windows batch file to install mining software
The DLL file downloaded here is a password stealing Trojan (probably belonging to the DanaBot family) that steals the contents of passwords stored on the device.
Once loaded using the regsvr32.exe -s create.dll command, the DLL file attempts to steal passwords saved in various programs, including major FTP clients, VNC, chat software, email clients, and browsers.
In addition to stealing passwords from the above programs, the DLL executes a PowerShell script to steal passwords from within Windows Credential Manager, as shown in the image below.
Steal saved passwords from Windows
The mastermind behind this attack also appears to be behind other malicious NPM package attacks discovered this week.
Sonatype researchers have discovered three malicious NPM packages that deploy cryptocurrency mining software on Linux and Windows devices in much the same way.
How should UA-Parser-JS users respond?
Given the wide-ranging impact of this supply chain attack, all users of UA-Parser-JS are strongly advised to check their projects for malware.
Specifically, check for the existence of jsextension.exe (Windows) or jsextension (Linux) files, and delete them immediately if found.
Windows users should also scan the device for the create.dll file and delete it as soon as it is found.
Although the current password-stealing Trojans only affect Windows devices, Linux users should not take it lightly and prepare for the full penetration of their devices.
Therefore, all infected Linux and Windows users should change passwords, keys, and refresh tokens to avoid credential information leaking and being captured by attackers.
While a complete password and access token replacement is a daunting task, don’t take any chances, given the potential for attackers to take over other accounts, including further infiltrating other projects in a supply chain attack.
The Links: LQ104V1DG61 CM150DY-24A
