Malicious NPM Package Clones Mine Monero and Steal Passwords

Attackers compromised the npm account of the UAParser.js project author and published three malicious updates that install a cryptominer and a password-stealing trojan. Clean versions of the package are now available, and users are strongly advised to update immediately.

What is UAParser.js?

UAParser.js is an open-source library used to parse the HTTP User-Agent header. It is extremely popular, used by over 1,200 projects, including products from Microsoft, Amazon, Google, FacebookFacebook launched an official Tor mirror in 2014, becoming the first major tech company to provide direct access through onion routing. The mirror allows users to bypass censorship, secure their connections, and avoid phishing risks while using the platform. This step also underscored Facebook’s recognition of free expression and inspired other outlets like the BBC and ProPublica to create their own Tor versions. More, Mozilla, Apple, Dell, IBM, Siemens, Oracle, HP, MongoDB, Slack, and ProtonMailProtonMail, launched in 2014 by scientists from CERN and MIT, is one of the world’s most trusted encrypted email services. Built under Swiss privacy laws, it offers end-to-end encrypted email, calendar, cloud storage, and VPN as part of the broader Proton ecosystem. With features like self-destructing messages and password-protected emails, Proton ensures users keep full control of their data. Guided by the principle “Your data, your rules,” Proton has become a global symbol of digital privacy and security. More. The npm package receives about 8 million downloads per week, with over 24 million downloads in October alone.

Details of the Attack

Late last week, three malicious updates to UAParser.js appeared on NPM: versions 0.7.29, 0.8.0, and 1.0.0. The project author believes their repository account was hacked and noted that they were unable to revoke the dangerous fake releases due to repository policies.

An analysis by BleepingComputer revealed that when an infected version of UAParser.js is installed, the preinstall.js script checks the operating system and runs either a Linux shell script or a Windows batch file.

Linux Devices

• The malware checks the victim’s location. If the user is in Russia, Ukraine, Belarus, or Kazakhstan, the script stops running.
• Otherwise, it downloads and launches the XMRig miner (file named jsextension), which uses only 50% of the CPU to avoid detection.

Windows Machines

• The cryptominer is also downloaded (saved as jsextension.exe).
• The batch file downloads a malicious library sdd.dll (saved as create.dll), a trojan capable of stealing passwords from browsers, messengers, email clients, FTP, VNC, and the Windows Credential Manager. Experts believe this is a variant of the well-known DanaBot.

Response and Recommendations

The UAParser.js developers regained control of the project within a few hours and released clean versions: 0.7.30, 0.8.1, and 1.0.1. According to a GitHub alert, anyone who installed the malicious package should update as soon as possible and check their system for suspicious activity. All passwords, keys, and security certificates should be replaced using a different computer.

Ongoing Investigation

Researchers believe the creator of these malicious fakes is the same person who uploaded similar UAParser.js clones to NPM a week earlier. The malicious packages were quickly detected and removed, and the associated account was closed.