Popular npm Project Used by Millions Hijacked in Supply-Chain Attack

Last week, Sonatype reported our discovery of three malicious npm cryptomining packages on npm: klow, klown, and okhsa. These packages, which infiltrated the npm registry between October 12th and 15th, installed Monero miners on Windows, macOS, and Linux machines. Interestingly, at least one of these packages was seen impersonating a popular, legitimate library called “ua-parser-js.”

DevOps Experience

Untitled 1_html_61c6b88074343dd9

By Friday, the maintainer of the real “ua-parser-js” surprisingly announced the project had been hijacked—with versions 0.7.29, 0.8.0, 1.0.0 of the package now laced with cryptominers.

Sonatype’s security research team has cataloged these versions under Sonatype-2021-1529 in our data.

Based on the announcement, the cause of the hijack seems to be an npm account takeover:

“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” announced Faisal Salman, the developer behind “ua-parser-js.”

The real “ua-parser-js” has been downloaded almost a billion times to date and gets over 7 million weekly downloads. Big tech companies, including Facebook, Amazon, Microsoft, Google, Instagram, Mozilla, Elastic, Intuit, Slack, and Reddit are just some of the names depending on the library. These significant factors make the incident a concerning supply-chain attack among a series of attacks against open source ecosystems seen in the last year.

For example, Facebook’s “fbjs” library that itself gets over 5 million weekly downloads on npm alone, has “ua-parser-js” listed as a dependency

Identical cryptominers found, along with password stealers

Sonatype’s analysis identified the cryptominers present in the hijacked “ua-parser-js” versions to have the same file names (jsextension, jsextension.exe) and file hashes as the miners found in the three malicious packages identified by us last week. This indicates a possible link to the same threat actor.

(Read more…)