Compromised NPM packages of ua-parser-JS (0.7.29, 0.8.0, 1.0.0)

Compromised NPM packages of ua-parser-JS (0.7.29, 0.8.0, 1.0.0)(github.com)

38 points by nop_slide 4 years ago | 6 comments

discussion is already going on reddit: https://www.reddit.com/r/programming/comments/qdlela/breakin...

The compromised package: https://www.npmjs.com/package/ua-parser-js

7,680,657 downloads a week

Version 0.7.28 is still good, anything above that is compromised

> 0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.

Probably one of the biggest reasons it's downloaded so much is that it's a direct dependency of Facebook's "fbjs" package which is downloaded 5.7mil/week: https://www.npmjs.com/package/fbjs

https://github.com/facebook/fbjs/blob/main/packages/fbjs/pac...

Someone has already filed an issue: https://github.com/facebook/fbjs/issues/464

olex 4 years ago |

Maintainer already released clean versions "on top of" the compromised ones, and NPM acted on reports and removed the compromised versions as well.

Compromised (and no longer downloadable from NPM):

- 0.7.29

- 0.8.0

- 1.0.0

Clean:

- 0.7.28 (last version before the hijack)

- 0.7.30

- 0.8.1

- 1.0.1

Compromised versions apparently contained a cryptomining tool capable of running on Linux, and a trojan that extracts sensitive data (saved passwords, cookies) from browsers on Windows. Both are blocked by up-to-date Windows Defender and presumably other AV software.

aleksandrh 4 years ago | |

I have 0.7.28 as a dependency of a dependency and the miner is running on my system. So it may not just be 0.7.29?

aleksandrh 4 years ago | | |

User error, 0.7.28 is safe

justinlilly 4 years ago |

For those looking, this is the diff. I'd be really curious how that got in.

https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

cyanydeez 4 years ago |

id abandon the entire name spzce.