Malware Found in UA-Parser-JS NPM Library

Popular package compromised in a way that could allow attacker to install password stealing trojans and crypto miners.

On October 23, BleepingComputer reported that hackers had hijacked the UA-Parser-JS Node Package Manager (NPM) library to infect Linux and Windows devices with password-stealing trojans and crypto miners. While Progress products were not directly compromised, out of an abundance of caution we feel it’s important to make our developer community aware of this news and how to rectify it.

What Happened?

On Friday, October 22, an unknown actor published malicious versions of the UA-Parser-JS NPM library. The ultimate targets were essentially any product that stores passwords locally. The malicious versions of the package were available for about four hours, from approximately 12:15-4:23 p.m. GMT.

If you’re directly or indirectly using ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0, you should consider your system compromised. Those versions were unpublished from npmjs several hours after the exploit was detected by the package owner.

How Do I Know if It Affects Me?

You may be affected if you use the NPM to manage and download open-source libraries as part of your engineering processes. The most likely targets are developer and CI/CD environments. Any computer that has one of the malicious versions of this package installed or running should be considered compromised.

What Should I Do?

• Ensure that the antivirus software on all development and QA machines is up to date and performing active monitoring
• All secrets and keys stored on a compromised computer should be changed immediately
• Delete any affected machines and update passwords
• To help shield yourself from a similar supply chain attack such as the one on October 22, use lock files for your dependencies, giving you control over any updates
• Update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1

Are Progress Products Affected?

Progress products were not compromised directly by this incident. We leverage practices to minimize vulnerabilities throughout our development cycle and work continuously to harden our products and infrastructure.

The malicious code specially targeted the password files of common FTP clients, including Progress WS_FTP Professional. Locally stored password files for many other common applications were also targeted including Chrome, Firefox and Safari among others.

Kinvey Flex feature

The Kinvey Flex feature allows deployment of custom Node.js services and therefore it is possible for Flex deployment to be affected. If you are using the Kinvey Flex feature, please review your deployed projects to ensure they and their dependencies are not using one of the compromised versions of the ua-parser-js module.

Even if a Flex service was affected, it is not possible for the harmful code to escape its isolated environment and harm or access anything else, even on multi-tenant Kinvey instances.

Further Information and Resources

• BleepingComputer article
• Coverage by Jet Brains
• Security Boulevard article
• GitHub advisory
• Progress Security Center