Sheekada ka saarista kaydka NPM ee saddex xirmo xaasidnimo ah oo koobiyeeyay koodka maktabadda UAParser.js waxay heshay sii socosho lama filaan ah - weeraryahanno aan la garanayn ayaa la wareegay koontada qoraaga mashruuca UAParser.js waxayna sii daayeen cusbooneysiin ka kooban code xadista furaha sirta ah iyo macdanta cryptocurrencies.
Dhibaatadu waxay tahay in maktabadda UAParser.js, oo bixisa hawlo lagu falanqeynayo cinwaanka Isticmaalaha-Wakiilka HTTP, wuxuu leeyahay ilaa 8 milyan oo la soo dejiyo todobaadkii waxaana loo isticmaalaa ku tiirsanaanta in ka badan 1200 mashruuc. Waxaa la sheegay in UAParser.js loo isticmaalo mashaariicda shirkadaha sida Microsoft, Amazon, Facebook, Slack, Discord, Mozilla, Apple, ProtonMail, Autodesk, Reddit, Vimeo, Uber, Dell, IBM, Siemens, Oracle, HP iyo Verison .
Weerarka ayaa lagu qaaday iyada oo loo marayo jabsiga xisaabta ee horumarinta mashruuca, kaas oo ogaaday in ay wax khaldan yihiin ka dib markii mowjad aan caadi ahayn oo spam ah ay ku dhacday sanduuqa boostada. Sida saxda ah ee koontada horumariyaha loo jabsaday lama soo sheegin. Weeraryahanadu waxay abuureen sii dayn 0.7.29, 0.8.0 iyo 1.0.0, iyagoo soo bandhigay kood xaasidnimo ah. Dhowr saacadood gudahood, horumariyayaashu waxay dib u heleen xakamaynta mashruuca waxayna abuureen cusbooneysiin 0.7.30, 0.8.1 iyo 1.0.1 si loo xalliyo dhibaatada. Noocyada xaasidnimada leh waxaa loo daabacay kaliya xirmo ahaan keydka NPM. Kaydka mashruuca ee Git ee GitHub lama saamayn. Dhammaan isticmaalayaasha ku rakibay noocyada dhibaatada leh, haddii ay ka helaan faylka jsextension Linux/macOS, iyo jsextension.exe iyo faylalka create.dll ee Windows, waxaa lagula talinayaa inay tixgeliyaan nidaamka la jabiyay.
Isbeddelada xaasidnimada leh ee lagu daray waxay xasuusiyeen isbeddelada hore loogu soo jeediyay clones ee UAParser.js, kuwaas oo u muuqday in la sii daayay si loo tijaabiyo shaqeynta ka hor inta aan la qaadin weerar ballaaran oo lagu qaado mashruuca ugu weyn. Faylka la fulin karo ee jsextension ayaa la soo dejiyey oo lagu bilaabay nidaamka isticmaalaha ee ka imanaya martigeliyaha dibadda, kaas oo la doortay iyadoo ku xiran goobta isticmaalaha iyo shaqada la taageeray ee Linux, macOS iyo Windows. Qalabka Windows, marka lagu daro barnaamijka macdanta Monero cryptocurrency (macdanta XMRig ayaa la isticmaalay), weeraryahannadu waxay sidoo kale abaabuleen hordhaca maktabadda create.dll si ay u dhexgalaan furaha sirta ah oo ay u diraan martigeliyaha dibadda.
Koodhka soo dejinta ayaa lagu daray faylka preinstall.sh, kaas oo gelida IP=$(curl -k https://freegeoip.app/xml/ | grep 'RU|UA|BY|KZ') haddii [-z" $ IP" ] ... soo deji oo socodsii faylka la fulin karo fi
Sida laga arki karo koodka, qoraalku wuxuu marka hore hubiyay ciwaanka IP-ga ee adeegga freegeoip.app mana uusan bilaabin codsi xaasidnimo ah oo loogu talagalay isticmaaleyaasha Russia, Ukraine, Belarus iyo Kazakhstan.
Source: opennet.ru