CISA warns of malware discovered in npm package UAParser.js, which has 6M-7M downloads weekly, that installs a password stealer and a crypto miner
A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed … Source: GitHub , CISA , and GitHub .
The Record Catalin Cimpanu
Related Coverage
- ua-parser-js — UAParser.js — JavaScript library to detect Browser, Engine, OS, CPU … npm · Major
- Popular NPM library hijacked to install password-stealers, miners BleepingComputer · Lawrence Abrams
- Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised Hackaday · Ryan Flowers
- Malicious code discovered in widely used JavaScript library UAParser.js Market Research Telecast · MRT
- Malicious Packages Disguised as JavaScript Libraries Found BankInfoSecurity · Prajeet Nair
- CISA warns of trojanized versions of JavaScript library's NPM package HackRead · Deeba Ahmed
- ‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library SecurityWeek · Ryan Naraine
- Supply-chain attack on NPM Package UAParser, which has millions of daily downloads Security Affairs · Pierluigi Paganini
- Popular NPM Package Hijacked to Publish Crypto-mining Malware The Hacker News · Ravie Lakshmanan
- Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js #536 GitHub · Faisalman
- Malware Discovered in Popular NPM Package, ua-parser-js CISA
- Embedded malware in ua-parser-js GitHub
Discussion
-
@campuscodi
Catalin Cimpanu
on x
NEW: CISA warned today about the compromise of a major JavaScript/npm library with millions of weekly downloads -The library, called UAParser.js, was compromised with a cryptominer -Library author said their account was hijacked https://therecord.media/... https://twitter.com/...
-
@uscert_gov
Us-Cert
on x
Versions (0.7.29, 0.8.0, and 1.0.0 ) of a popular NPM package named ua-parser-js was found to contain malicious code. Please update to the patched versions (0.7.30, 0.8.1, 1.0.1). More in our alert: https://us-cert.cisa.gov/... GitHub advisory: https://github.com/...
-
@__davidflanagan
David Flanagan
on x
I feel like NPM revolutionized software development for the web and now has the potential to destroy software development for the web https://twitter.com/... https://twitter.com/...
-
@nsa_csdirector
Rob Joyce
on x
Important @CISAgov alert: Malware inserted into widely used JavaScript library (npm package) AParser.js which reads information stored inside user-agent strings. Developers must update to patched versions: 0.7.30, 0.8.1, 1.0.1 https://therecord.media/...
-
@marypcbuk
Scary Mary Branscombe
on x
Software supply chain problems and of course it's a cryptominer. Crypot is why we can't have nice things https://twitter.com/...
-
@bytesafedev
Bytesafe
on x
Beware: compromised versions of #npm package ua-parser-js. Malicious versions have been deprecated and flagged. Details: https://github.com/... Take steps to handle your dependencies securely. #node #javascript #nodejs #supplychainsecurity
-
@jnitterauer
Jim Nitterauer
on x
This won't end well. Malware found in npm package with millions of weekly downloads - The Record by Recorded Future https://therecord.media/...
-
@drewchurch
Drew Church
on x
Another (IMO) supply chain compromise - this time with a popular JS library ua-parser-js. 2.5m public repos on GH, 7m weekly downloads on NPM. Oof. https://github.com/...
-
@campuscodi
Catalin Cimpanu
on x
IOCs here: https://github.com/... Here's a very sane advice from GitHub's security team: https://twitter.com/...
-
@ulldma
@ulldma
on x
Popular npm package ‘ua-parser-js’ has been compromised. The preinstall-code added to the compromised artifacts has not been obfuscated. https://github.com/... #supplychainsecurity https://twitter.com/...
-
@adam_baldwin
Adam Baldwin
on x
We consume 3rd party code with less vetting than Halloween candy. https://twitter.com/...