Ua-parser-js, the NPM library downloaded 8 million times a week, was embedded with malicious code

On October 22, just two days before the past 1024 Programmers’ Day, there was a little turbulence in the front end world.

Ua-parser-js was found to be embedded with malicious code. It downloads malicious programs in the background and runs them. According to analysis, downloaded malicious programs may be used for mining.

Ua-parser-js is a famous NPM library, which is mainly used to analyze userAgent to determine browser, engine, operating system, CPU, device type and other information. It can be used either on the client side or in NodeJS. I believe that front-end students often use this library. It’s been downloaded nearly 8 million times a week.

Judging from the Github discussion. The implantation process is as follows:

• Hackers stole the password to the NPM website account of the main maintainer of the package
• Implant malicious code directly into uA-Parser-JS code.
• Three new versions were released, 0.7.29, 0.8.0, 1.0.0.

The main malicious code is as follows:

IO/NPM/UA-pars…

The malicious behavior was discovered some hours later, and the package manager immediately updated a new small version to try to override the malicious version and notified NPM, but it seems that NPM’s rules do not immediately remove the malicious version, so the malicious version was still available on NPM several hours after the discovery.

Fortunately, NPM finally removed the malicious version. It’s gone now.

If you worked as usual this weekend and added a new package to your project or upgraded the package version, it is recommended to check your package management files to see if you were caught. If you’ve been tricked, upgrade your package dependencies. And run a cache cleanup, poison it.