While there is no definitive evidence that the compromise of ua-parser-js is related to the above-mentioned dark-web activity, the weekly installs and dependency numbers appear to match and align with the developers' post of an account hijack.
There, a threat actor offered access to a developer account of an undisclosed package on, indicating that the package has “more than 7 million installations every week, more than 1,000 others are dependent on this.” With the requested price of $20,000 dollars, the threat actor stated that the account does not have 2-factor authentication. However, with the use of IntSights, recently acquired by Rapid7, a suspicious thread has been identified, created on October 5, 2021, in a prominent Russian hacking forum. During that time, 3 versions of the package were compromised with a script that would execute on Windows and Linux machines: Affected Versionīoth GitHub and CISA issued advisories urging users to upgrade right away and review systems for suspicious or malicious activity.ĭue to the quick reporting of issues by GitHub users and action by the developer, development exposure will be limited to teams who had a pull/build during that (roughly) 4-hour timeframe.Īt this time, the source of the attack is unconfirmed. The malicious package was available for download starting on October 22, 2021, at 12:15 PM GMT, and ending October 22, 2021, between 4:16 PM and 4:26 PM GMT. This package is used “to detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data,” with nearly 8 million weekly downloads and 1,200 dependencies. On a ReactJs project I try to parse with .JsPluginViewer.For approximately 4 hours on Friday, October 22, 2021, a widely utilized NPM package, ua-parser-js, was embedded with a malicious script intended to install a coinminer and harvest user/credential information. React Parsing string as html and applying a function to DOM with forwardRef
0 kommentar(er)
