IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Malware discovered in JavaScript Library accessed by millions each week

Password-stealing trojans and cryptocurrency miners were installed on a library used by the likes of Facebook, Microsoft, and Amazon

The outline of a skull displayed in computer code to represent malware

A popular JavaScript library used by major global technology firms has been targeted by hackers to spread malware and install password stealers and cryptocurrency miners on victims' machines.

The UAParser.js JavaScript library, which is accessed more than 7 million times per week, is used to detect small-footprint User-Agent data, such as a visitor's browser and OS, and is known to be used by the likes of Facebook, Microsoft, Amazon, Reddit and many more tech giants.

The hijack of the package, which reportedly took place on 22 October, saw a threat actor publish malicious versions of UAParser.js library to target Linux and Windows machines.

If downloaded to a victims machine, the malicious package could have allowed hackers to obtain sensitive information or take control of their system, according to an alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA) on Friday.

The threat actor gained access to the developer's account and used it to distribute the infected versions, according to the package's author Faisal Salman, in a discussion held on GitHub.

Apologising for the circumstances, Salman said: "I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites. I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware."

Once he identified the infected versions, Salman flagged each one for containing malware and removed them from the platform.

One affected user analysed the compromised packages and discovered a script that attempted to export their OS credentials and a copy of their Chrome Browser's cookies DB file.

Further analysis by Sonatype, as seen by Bleeping Computer, shows that the malicious code will check the OS used on a victim's device and, depending on the OS used, launch a Linux shell script or Windows batch file.

The package would initiate a preinstall.sh script to check Linux devices if the user was located in Russia, Ukraine, Belarus, and Kazakhstan. If the device was located elsewhere, the script would download an XMRig Monero cryptocurrency miner designed to use 50% of a victim's CPU power to avoid detection.

For Windows users, the same Monero miner would be installed in addition to a password-stealing trojan, which Sonatype speculates to be DanaBot - a banking trojan used by organised crime groups.

Further analysis also showed that the password stealer also attempted to steal passwords from the Windows credential manager using a PowerShell script.

Users of the UAParser.js library are advised to check the version used in their projects and upgrade to the latest version, which is free of the malicious code.

In the same week, Sonatype also discovered three more libraries containing similar code, again targeting Linux and Windows machines with cryptocurrency miners.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022