The story of the removal of three malicious packages that copied the code of the UAParser.js library from the NPM repository received an unexpected continuation - unknown attackers seized control over the account of the author of the UAParser.js project and released updates containing code for stealing passwords and mining cryptocurrencies.
The problem is that the UAParser.js library, which offers functions for parsing the HTTP User-Agent header, has about 8 million downloads per week and is used as a dependency in over 1200 projects. UAParser.js is claimed to be used by companies such as Microsoft, Amazon, Facebook, Slack, Discord, Mozilla, Apple, ProtonMail, Autodesk, Reddit, Vimeo, Uber, Dell, IBM, Siemens, Oracle, HP, and Verison.
The attack was carried out by hacking into the account of the project developer, who realized something was wrong after an unusual wave of spam fell into his mailbox. How exactly the developer's account was hacked is not reported. The attackers created releases 0.7.29, 0.8.0 and 1.0.0 by injecting malicious code into them. Within a few hours, the developers regained control over the project and generated updates 0.7.30, 0.8.1 and 1.0.1 fixing the problem. Malicious versions were published only as packages in the NPM repository. The project's Git repository on GitHub was not affected. All users who have installed problematic versions, if they find the jsextension file on Linux / macOS, and the jsextension.exe and create.dll files on Windows, it is recommended to consider the system compromised.
The malicious changes added were similar to those previously proposed in UAParser.js clones, which appear to have been released to test functionality before launching a large-scale attack on the main project. The jsextension executable file was loaded and launched on the user's system from an external host, which was selected depending on the user's platform and supported work on Linux, macOS and Windows. For the Windows platform, in addition to the Monero cryptocurrency mining program (the XMRig miner was used), the attackers also organized the introduction of the create.dll library to intercept passwords and send them to an external host.
The download code was added to the preinstall.sh file, which included the insert IP=$(curl -k https://freegeoip.app/xml/ | grep 'RU|UA|BY|KZ') if [ -z "$ IP" ] ... download and run the fi executable
As can be seen from the code, the script first checked the IP address in the freegeoip.app service and did not launch a malicious application for users from Russia, Ukraine, Belarus and Kazakhstan.
Source: opennet.ru