Last week, Sonatype reported our discovery of three malicious npm cryptomining packages on npm: klow, klown, and okhsa. These packages, which infiltrated the npm registry between October 12th and 15th, installed Monero miners on Windows, macOS, and Linux machines. Interestingly, at least one of these packages was seen impersonating a popular, legitimate library called “ua-parser-js.”
By Friday, the maintainer of the real “ua-parser-js” surprisingly announced the project had been hijacked—with versions 0.7.29, 0.8.0, 1.0.0 of the package now laced with cryptominers.
Sonatype’s security research team has cataloged these versions under Sonatype-2021-1529 in our data.
Based on the announcement, the cause of the hijack seems to be an npm account takeover:
“I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware,” announced Faisal Salman, the developer behind “ua-parser-js.”
The real “ua-parser-js” has been downloaded almost a billion times to date and gets over 7 million weekly downloads. Big tech companies, including Facebook, Amazon, Microsoft, Google, Instagram, Mozilla, Elastic, Intuit, Slack, and Reddit are just some of the names depending on the library. These significant factors make the incident a concerning supply-chain attack among a series of attacks against open source ecosystems seen in the last year.
For example, Facebook’s “fbjs” library that itself gets over 5 million weekly downloads on npm alone, has “ua-parser-js” listed as a dependency.
Identical cryptominers found, along with password stealers
Sonatype’s analysis identified the cryptominers present in the hijacked “ua-parser-js” versions to have the same file names (jsextension, jsextension.exe) and file hashes as the miners found in the three malicious packages identified by us last week. This indicates a possible link to the same threat actor.