top of page

Cloud Security

Hijacked NPM Account Leads to Critical Supply Chain Compromise

Hijacked NPM Account Leads to Critical Supply Chain Compromise
Rony Moshkovich

Rony Moshkovich

Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam.

Tags

Share this article

10/24/21

Published

As earlier reported by US-CERT, three versions of a popular NPM package named ua-parser-js were found to contain malware.


The NPM package ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data.


The author of the package, Faisal Salman – a software developer from Indonesia, has commented about the incident:


Hi all, very sorry about this. I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0 I have sent a message to NPM support since I can’t seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message.

There are more than 2.5 million other repositories that depend on ua-parser-js. Google search “file:ua-parser-js.js” reveals nearly 2 million websites, which indicates the package is popular.


As seen in the source code diff, the newly added file package/preinstall.js will check the OS platform. If it’s Windows, the script will spawn a newly added preinstall.bat script.


If the OS is Linux, the script will call terminalLinux() function, as seen in the source below:


var opsys = process.platform;
if (opsys == "darwin") { opsys = "MacOS";
} else if (opsys == "win32" ||