Threat Signal Report

Cryptominer and Infostealer Delivered via Hijacked Popular NPM Library

description-logo Description

FortiGuard Labs is aware of a report that a few versions of the popular Node Package Manager (NPM) library UAParser.js were hijacked and served cryptominer and infostealer to Windows to Linux platforms. The NPM library is used in apps and websites to detect the type of device or browser from User-Agent data. UAParser.js is adopted by large companies and has about six to seven million downloads every week. Because of potential impact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on October 22nd urging users with compromised versions of UAParser.js to update to benign versions.


Why is this Significant?

This is significant because UAParser.js is widely adopted by large companies around the globe and has about six to seven million weekly downloads. The compromised libraries deployed cryptominer to Linux and Windows systems. Windows systems also received infostealer to harvest user credentials. Because of potential impact, CISA published an advisory on October 22nd urging users with compromised versions of UAParser.js to update to benign versions. See Appendix for the link to "Malware Discovered in Popular NPM Package, ua-parser-js".


What is UAParser.js?

UAParser.js is a JavaScript library used to detect Browser, Engine, OS, CPU, and Device type/model information from User-Agent data.


How was UAPaser.js Hijacked?

According to the developer, "Faisal Salman," his NPM account was compromised. The compromised NPM account was used to deploy tainted versions of UAPaser.js. It is unclear how the developer's NPM account was compromised in the first place.


What Malware were Served from the Hijacked UAPaser.js?

An open-source XMrig miner that mines Monero cryptocurrency was served to both Linux and Windows systems. Windows systems also received an infostealer malware that harvests user credentials from various software such as FTP and email clients, Virtual Network Computing (VNC) and browsers that are present on the compromised machine.


Which Versions of UAPaser.js Served Malware?

The compromised versions are 0.7.29, 0.8.0, and 1.0.0.


Which Versions of Subsequent UAParser.js are Deemed Clean?

Clean version of the library that were pushed out after the incident are 0.7.30, 0.8.1, and 1.0.1.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against the available files used in the attack:


W32/GenKryptik.EONW!tr

W32/ZDlder.SBEO!tr

ELF/BitCoinMiner.HF!tr

BAT/Miner.ht!tr

Riskware/CoinMiner.PO

W32/ZDlder.SBEO!tr

JS/Zapchast.fc!tr


All Network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.


Other Mitigation?

Due to the potential impact of the issue, users of UAParser.js library are strongly recommended to check their projects for malicious software.

Windows systems with compromised versions of UAParser.js may have received an infostealer payload. As such, affected Windows users are strongly recommended to change their passwords, keys, and refresh tokens.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.