ITPro reports that the 22nd October hijack “saw a threat actor publish malicious versions of UAParser.js library to target Linux and Windows machines”.
The hackers gained access to developer Faisal Salman’s account and used it to distribute the compromised packages.
Luckily, Salman was quick to spot things weren’t quite right: “I noticed something unusual when my email was suddenly flooded by spam from hundreds of websites. I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware.”
He quickly flagged the infected versions and removed each one from the platform. Another developer analysed the compromised packages, which revealed a script that attempted to export OS credentials and browser cookies.
Depending on the OS used, the malicious code would launch either a Linux shell script or Windows batch file, before targeting machines with cryptocurrency miners and a password-stealing trojan.
In the same week, Sonatype also discovered three more libraries containing similar code.
And in a separate incident just this week, other popular libraries, Coa and rc, were hijacked and used to spread malicious code, as reported by TechRadar.com.
We know that, as developers, you’re more focused on building rather than breaking code, so we’re always on the lookout for stories like this to help you avoid any nasty surprises.