Another popular npm package infected with malware

Popular library with millions of downloads infected with malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

In an audacious incident, threat actors hijacked the account of the developer of a widely usedJavaScriptlibrary, UAParser.ja, to replace the legitimate code with malicious one infused withmalwareand trojans.

The library’s developer Faisal Salman noticed something was off when his email was flooded by spam messages.

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” was Salman’sfirst reactionas he yanked the library and asked users to revert to a previous release.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

UAParser.js is used by the likes of Facebook,Apple,Amazon,Microsoft, IBM, and a lot more, and clocks between 6-7 million downloads every week.

Attacking developers

Attacking developers

While attackers have previously attacked public repositories to push malicious software and malware, these attacks have been restricted to typosquatting or dependency hijacking.

These are attacks where the authors of the malicious libraries hope to take advantage of downstream developers accidentally installing their malware-riddled library by misspelling the name of the original library. In fact, just last week, SonaType researchers shared details about their efforts to rid such malicious libraries from npm.

Incidentally, one of the recent malevolent librariesSonaType helped remove last week, named Klow(n), was found impersonating UAParser.js, in what was labeled as a “weak brandjacking attempt.”

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, hijacking a developer’s account to replace genuine code with a poisonous one, is a lot more serious, especially when the target is as popular as UAParser.js.

According toThe Record, analysis of the malicious library revealed that it downloaded scripts from a remote server, including acryptominerand an information stealing trojan that could steal credentials from theoperating systemsand theweb browsers, and could lead to all kinds of incidents ofidentity thefts.

Soon after he pulled the offending library, Salman uploaded new cleaner releases urging users to update.

The incident even led the US Cybersecurity and Infrastructure Security Agency (CISA) to publish asecurity alert, owing to the library’s popularity.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well