Popular JavaScript library comes under attack from hackers

Did you hear about the recent hacking of a popular JavaScript library? The intent was to spread malware and install password stealers and cryptocurrency miners on victims’ machines.

The JavaScript library in question was ‘UAParser.js’, which is accessed more than seven million times every week to detect small-footprint User-Agent data such as a visitor’s browser and operating system. Some of the world’s biggest tech companies including Facebook, Microsoft, Amazon, Reddit are said to use the library so this was pretty big news.

ITPro reports that the 22nd October hijack “saw a threat actor publish malicious versions of UAParser.js library to target Linux and Windows machines”.

The hackers gained access to developer Faisal Salman’s account and used it to distribute the compromised packages.

Luckily, Salman was quick to spot things weren’t quite right: “I noticed something unusual when my email was suddenly flooded by spam from hundreds of websites. I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware.”

He quickly flagged the infected versions and removed each one from the platform. Another developer analysed the compromised packages, which revealed a script that attempted to export OS credentials and browser cookies.

Depending on the OS used, the malicious code would launch either a Linux shell script or Windows batch file, before targeting machines with cryptocurrency miners and a password-stealing trojan.

In the same week, Sonatype also discovered three more libraries containing similar code.

And in a separate incident just this week, other popular libraries, Coa and rc, were hijacked and used to spread malicious code, as reported by TechRadar.com.

We know that, as developers, you’re more focused on building rather than breaking code, so we’re always on the lookout for stories like this to help you avoid any nasty surprises.