Popular NPM Library Hijacked To Install Password-stealers, Miners
Hackers hijacked the popular UA-Parser-JS NPM library, with millions of downloads a week, to infect Linux and Windows devices with cryptominers and password-stealing trojans in a supply-chain attack.
The UA-Parser-JS library is used to parse a browser’s user agent to identify a visitor’s browser, engine, OS, CPU, and Device type/model.
The library is immensely popular, with millions of downloads a week and over 24 million downloads this month so far. In addition, the library is used in over a thousand other projects, including those by Facebook, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and many more well-known companies.
UA-Parser-JS project hijacked to install malware
On October 22nd, a threat actor published malicious versions of the UA-Parser-JS NPM library to install cryptominers and password-stealing trojans on Linux and Windows devices.
According to the developer, his NPM account was hijacked and used to deploy the three malicious versions of the library.
“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary),” explained Faisal Salman, the developer of UA-Parser-JS, in a bug report.
“I believe someone was hijacking my npm account and published some compromised packages (
1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0.”
The affected versions and their patched counterparts are:
|Malicious version||Fixed version|
From copies of the malicious NPMs shared with BleepingComputer by Sonatype, we can better understand the attack.
When the compromised packages are installed on a user’s device, a preinstall.js script will check the type of operating system used on the device and either launch a Linux shell script or a Windows batch file.
If the package is on a Linux device, a preinstall.sh script will be executed to check if the user is located in Russia, Ukraine, Belarus, and Kazakhstan. If the device is not located in those countries, the script will download the jsextension [VirusTotal] program from 159[.]148[.]186[.]228 and execute it.
The jsextension program is an XMRig Monero miner, which will use only 50% of the device’s CPU to avoid being easily detected.
For Windows devices, the batch file will also download the XMRig Monero cryptominer and save it as jsextension.exe [VirusTotal] and execute it. In addition, the batch file will download an sdd.dll file [VirusTotal] from citationsherbe[.]at and save it as create.dll.
The downloaded DLL is a password-stealing trojan (possibly DanaBot) that will attempt to steal the passwords stored on the device.
When the DLL is loaded using the
regsvr32.exe -s create.dll command, it will attempt to steal passwords for a wide variety of programs, including FTP clients, VNC, messaging software, email clients, and browsers.
A list of targeted programs can be found in the table below.
|Screen Saver 9x||Apple Safari||NetDrive|
|PC Remote Control||Remote Desktop Connection||Becky|
|ASP.NET Account||Cisco VPN Client||The Bat!|
|CamFrog||FAR Manager FTP||Gmail Notifier|
|Win9x NetCache||Windows/Total Commander||Mail.Ru Agent|
|“&RQ, R&Q”||CuteFTP||Group Mail Free|
|IM2/Messenger 2||BulletProof FTP Client||POP Peeper|
|Google Talk||SmartFTP||Mail Commander|
|Faim||TurboFTP||Windows Live Mail|
|MSN Messenger||CoffeeCup FTP||SeaMonkey|
|Windows Live Messenger||Core FTP||Flock|
|Paltalk||FTP Explorer||Download Master|
|Excite Private Messenger||Frigate3 FTP||Internet Download Accelerator|
|PartyPoker||SoftX FTP Client||WebCred|
|CakePoker||Directory Opus||Windows Credentials|
|UBPoker||FTP Uploader||MuxaSoft Dialer|
|EType Dialer||FreeFTP/DirectFTP||FlexibleSoft Dialer|
|RAS Passwords||LeapFTP||Dialer Queen|
|Chrome||32bit FTP||Advanced Dialer|
In addition to stealing passwords from the above programs, the DLL will execute a PowerShell script to steal passwords from the Windows credential manager, as shown below.
This attack appears to have been conducted by the same threat actor behind other malicious NPM libraries discovered this week.
Researchers from open-source security firm Sonatype discovered three malicious NPM libraries used to deploy cryptominers on Linux and Windows devices in an almost identical manner.
What should UA-Parser-JS users do?
Due to the widespread impact of this supply-chain attack, it is strongly advised that all users of the UA-Parser-JS library check their projects for malicious software.
This includes checking for the existence of either jsextension.exe (Windows) or jsextension (Linux) and deleting them if they are found.
For Windows users, you should scan your device for a create.dll file and delete it immediately.
While only Windows was infected with a password-stealing Trojan, it is wise for Linux users to also assume their device was fully compromised.
Due to this, all infected Linux and Windows users should also change their passwords, keys, and refresh tokens, as they were likely compromised and sent to the threat actor.
While changing your passwords and access tokens will likely be a huge undertaking, by not doing so, the threat actor can compromise other accounts, including any projects you develop for further supply-chain attacks.