Malware found in npm package with millions of weekly downloads



A massively popular JavaScript library (npm package) was hacked today and modified with malicious code that downloaded and installed a cryptocurrency miner on systems where the compromised versions were installed.

  • The incident was detected on Friday, October 22.
  • It impacted UAParser.js, a JavaScript library for reading information stored inside user-agent strings.
  • According to its official site, the library is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many of Silicon Valley’s elites.
  • The library also regularly sees between 6 million and 7 million weekly downloads, according to its npm page.
  • Compromised versions: 0.7.29, 0.8.0, 1.0.0
  • Patched versions: 0.7.30, 0.8.1, 1.0.1

Read more…