Password-stealing trojans and cryptocurrency miners were installed on a library used by the likes of Facebook, Microsoft, and Amazon
The hijack of the package, which reportedly took place on 22 October, saw a threat actor publish malicious versions of UAParser.js library to target Linux and Windows machines.
If downloaded to a victims machine, the malicious package could have allowed hackers to obtain sensitive information or take control of their system, according to an alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA) on Friday.
The threat actor gained access to the developer's account and used it to distribute the infected versions, according to the package's author Faisal Salman, in a discussion held on GitHub.
Apologising for the circumstances, Salman said: "I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites. I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware."
Once he identified the infected versions, Salman flagged each one for containing malware and removed them from the platform.
One affected user analysed the compromised packages and discovered a script that attempted to export their OS credentials and a copy of their Chrome Browser's cookies DB file.
Further analysis by Sonatype, as seen by Bleeping Computer, shows that the malicious code will check the OS used on a victim's device and, depending on the OS used, launch a Linux shell script or Windows batch file.
The package would initiate a preinstall.sh script to check Linux devices if the user was located in Russia, Ukraine, Belarus, and Kazakhstan. If the device was located elsewhere, the script would download an XMRig Monero cryptocurrency miner designed to use 50% of a victim's CPU power to avoid detection.
Further analysis also showed that the password stealer also attempted to steal passwords from the Windows credential manager using a PowerShell script.
Users of the UAParser.js library are advised to check the version used in their projects and upgrade to the latest version, which is free of the malicious code.
In the same week, Sonatype also discovered three more libraries containing similar code, again targeting Linux and Windows machines with cryptocurrency miners.
AI for customer service
IBM Watson Assistant solves customer problems the first timeView now
Solve cyber resilience challenges with storage solutions
Fundamental capabilities of cyber-resilient IT infrastructureFree Download
IBM FlashSystem 5000 and 5200 for mid-market enterprises
Manage rapid data growth within limited IT budgetsFree download
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionalityFree Download