CISA warns of trojanized versions of JavaScript library’s NPM package

The warning comes days after three rogue packages, okhsa, klow, and klown discovered by DevSecOps firm Sonatype, were removed from the NPM repository.

The warning comes days after three rogue packages, okhsa, klow, and klown discovered by DevSecOps firm Sonatype, were removed from the NPM repository.

On Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) released a warning to disclose an incident related to the GitHub Advisory Database. According to CISA, a crypto-mining malware was hidden in a popular JavaScript NPM library, UAParser.js.

The library rakes in more than six to eight million downloads per week and is used in websites and applications to identify browsers and systems used. The NPM platform became a part of Microsoft-owned GitHub in 2020.

Three Rogue NPM Packages Discovered

The warning comes days after three rogue packages, okhsa, klow, and klown discovered by DevSecOps firm Sonatype, were removed from the NPM repository.

Reportedly, three versions of UYAParser.js, 0.7.29, 0.8.0, 1.0.0, were embedded with malicious code after the attacker successfully hijacked the NPM account of the maintainer.

It was identified that a device running any of these versions could allow attacked access to sensitive and confidential information and even let them take control of the computer.

It is suspected that the malicious code was injected to install a crypto miner on the targeted system. The issue is now patched in versions 0.7.30, 0.8.1, and 1.0.1.

Developer’s Response

It was developed and maintained by an Indonesian programmer Faisal Salman (who uses the alias faisalman to publish his software). The programmer posted on his Gitmemory profile that his developed software has been modified and embedded with malicious code.

“I believe someone was hijacking my NPM account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” Salman said.

GitHub Alert

In an independent alert, GitHub notified users that any computer running this package should be considered compromised, and therefore, sensitive data and keys stored on the device should be transferred to another device.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” the notice read.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Total
0
Shares
Related Posts