Because of the software supply chain implications of the attack, GitHub issued a “critical severity” warning that any computer with the embedded npm package “should be regarded fully hacked.”
“Three versions of the npm package ua-parser-js were released with malicious code. Users of the impacted versions (0.7.29, 0.8.0, and 1.0.0) should upgrade immediately and examine their systems for suspicious activity, according to GitHub’s alert.
“Any machine with this package installed or running should be regarded completely vulnerable.” GitHub advised that “any secrets and keys stored on that machine should be rotated promptly from a new computer.”
“The package should be uninstalled,” the business noted, “but because complete control of the machine may have been granted to an outside entity, there is no certainty that deleting the package will remove any dangerous software that resulted from its installation.”
The troublesome UAParser.js library is quite popular, with up to 8 million weekly downloads and users including Microsoft, Amazon, Facebook, Apple, and Oracle.
The problem originally came to light on Friday evening, when the package creator noted strange email behaviour, which led to the discovery of imbedded malware. “I suspect my npm account was hacked and some compromised packages (0.7.29, 0.8.0, 1.0.0) were published, which will most likely install malware,” the developer added.
When the US government’s cybersecurity agency, CISA, issued its own “patch now” advisory, the matter became much more urgent.
From the CISA advisory:
“Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system.”
Users and administrators who are using the compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 are strongly advised to update to the patched versions 0.7.30, 0.8.1, and 1.0.1 as soon as possible.