In an audacious incident, threat actors hijacked the account of the developer of a widely used JavaScript library, UAParser.ja, to replace the legitimate code with malicious one infused with malware and trojans.
The library’s developer Faisal Salman noticed something was off when his email was flooded by spam messages.
“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” was Salman’s first reaction as he yanked the library and asked users to revert to a previous release.
UAParser.js is used by the likes of Facebook, Apple, Amazon, Microsoft, IBM, and a lot more, and clocks between 6-7 million downloads every week.
Attacking developers
While attackers have previously attacked public repositories to push malicious software and malware, these attacks have been restricted to typosquatting or dependency hijacking.
These are attacks where the authors of the malicious libraries hope to take advantage of downstream developers accidentally installing their malware-riddled library by misspelling the name of the original library. In fact, just last week, SonaType researchers shared details about their efforts to rid such malicious libraries from npm.
Incidentally, one of the recent malevolent libraries SonaType helped remove last week, named Klow(n), was found impersonating UAParser.js, in what was labeled as a “weak brandjacking attempt.”
However, hijacking a developer’s account to replace genuine code with a poisonous one, is a lot more serious, especially when the target is as popular as UAParser.js.
According to The Record, analysis of the malicious library revealed that it downloaded scripts from a remote server, including a cryptominer and an information stealing trojan that could steal credentials from the operating systems and the web browsers, and could lead to all kinds of incidents of identity thefts.
Soon after he pulled the offending library, Salman uploaded new cleaner releases urging users to update.
The incident even led the US Cybersecurity and Infrastructure Security Agency (CISA) to publish a security alert, owing to the library’s popularity.
