The ua-parser-js can be used in either a browser (client-side) or node.js (server-side).
Details on the issue was posted on GitHub Advisory Database on October 22, 2021:
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”GitHub
Affected ua-parser-js versions include: 0.7.29, 0.8.0, and 1.0.0.
Users are recommended to update to the appropriate patched versions: 0.7.30, 0.8.1, or 1.0.1.
Code author Faisal Salman added more details and responded to numerous questions on the deprecated npm package ua-parser-js also on GitHub (Issue #536).
“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary),” Faisal wrote in a post.
“I believe someone was hijacking my npm account and published some compromised packages.”
Another user ‘alex-drocks’ also provided details on October 26 on how his system got compromised.
“My Win 10 dev box got compromised on Friday (I’m in the process of wiping it completely clean now). For what I know only jsextension.exe run, but I got a shortcut placed in the Start Menu’s Startup folder trying to run create.dll with rundll32.exe.”
Multiple GitHub users also recommended everyone who publishes to NPM should activate two-factor authentication protection.
- Nobelium targets CSPs, MSPs and IT organizations to launch broader attacks
- Microsoft: Nobelium cybergang deploys FoggyWeb backdoor to target AD FS servers
- Justice Department seizes domains used in Nobelium spear-phishing attacks
- Microsoft uncovers NOBELIUM ‘sophisticated email-based attack’
- New Supernova malware analysis reveals new APT cyberattack methods against vulnerable SolarWinds infrastructure
- Microsoft and FireEye reveal new details on SolarWinds cyberattack