A javascript library downloaded millions of times each week was compromised in a supply chain attack which targeted the npm software registry.
npm describes itself as the worlds largest software registry, and is used to host and share thousands of open source and private software projects. The javascript library in question is used by companies such as Google, Amazon, Microsoft and Facebook to extract details from the browser user-agent when a user visits a webpage. The UA-Parser javascript library was compromised when a malicious user was able access the developer’s npm account and change the published version to include malware that stole passwords and installed cryptomining software on the victims computer.
The compromised versions of UA-Parser are: 0.7.29, 0.8.0, 1.0.0. The developer has now released fixed versions of the project: 0.7.30, 0.8.1, 1.0.1
Additional research by BleepingComputer has identified the malware files installed and includes advice on how to remove them from a compromised system.
Github (who owns npm) issued a critical security advisory about the incident, and warns:
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
