Malicious NPM Package Clones Mine Monero and Steal Passwords

By Ava McKinneyOnline Safety

Malicious NPM Package Clones Mine Monero and Steal Passwords

Attackers compromised the npm account of the UAParser.js project author and published three malicious updates that install a cryptominer and a password-stealing trojan. Clean versions of the package are now available, and users are strongly advised to update immediately.

What is UAParser.js?

UAParser.js is an open-source library used to parse the HTTP User-Agent header. It is extremely popular, used by over 1,200 projects, including products from Microsoft, Amazon, Google, Facebook, Mozilla, Apple, Dell, IBM, Siemens, Oracle, HP, MongoDB, Slack, and ProtonMail. The npm package receives about 8 million downloads per week, with over 24 million downloads in October alone.

Details of the Attack

Late last week, three malicious updates to UAParser.js appeared on NPM: versions 0.7.29, 0.8.0, and 1.0.0. The project author believes their repository account was hacked and noted that they were unable to revoke the dangerous fake releases due to repository policies.

An analysis by BleepingComputer revealed that when an infected version of UAParser.js is installed, the preinstall.js script checks the operating system and runs either a Linux shell script or a Windows batch file.

Linux Devices

  • The malware checks the victim’s location. If the user is in Russia, Ukraine, Belarus, or Kazakhstan, the script stops running.
  • Otherwise, it downloads and launches the XMRig miner (file named jsextension), which uses only 50% of the CPU to avoid detection.

Windows Machines

  • The cryptominer is also downloaded (saved as jsextension.exe).
  • The batch file downloads a malicious library sdd.dll (saved as create.dll), a trojan capable of stealing passwords from browsers, messengers, email clients, FTP, VNC, and the Windows Credential Manager. Experts believe this is a variant of the well-known DanaBot.

Response and Recommendations

The UAParser.js developers regained control of the project within a few hours and released clean versions: 0.7.30, 0.8.1, and 1.0.1. According to a GitHub alert, anyone who installed the malicious package should update as soon as possible and check their system for suspicious activity. All passwords, keys, and security certificates should be replaced using a different computer.

Ongoing Investigation

Researchers believe the creator of these malicious fakes is the same person who uploaded similar UAParser.js clones to NPM a week earlier. The malicious packages were quickly detected and removed, and the associated account was closed.

Leave a Reply