by flanbiscuit on 10/22/2021, 8:02:55 PM
by olex on 10/22/2021, 9:50:17 PM
Maintainer already released clean versions "on top of" the compromised ones, and NPM acted on reports and removed the compromised versions as well.
Compromised (and no longer downloadable from NPM):
- 0.7.29
- 0.8.0
- 1.0.0
Clean:
- 0.7.28 (last version before the hijack)
- 0.7.30
- 0.8.1
- 1.0.1
Compromised versions apparently contained a cryptomining tool capable of running on Linux, and a trojan that extracts sensitive data (saved passwords, cookies) from browsers on Windows. Both are blocked by up-to-date Windows Defender and presumably other AV software.
by justinlilly on 10/23/2021, 6:29:37 AM
For those looking, this is the diff. I'd be really curious how that got in.
by cyanydeez on 10/22/2021, 10:26:36 PM
id abandon the entire name spzce.
discussion is already going on reddit: https://www.reddit.com/r/programming/comments/qdlela/breakin...
The compromised package: https://www.npmjs.com/package/ua-parser-js
7,680,657 downloads a week
Version 0.7.28 is still good, anything above that is compromised
> 0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.
Probably one of the biggest reasons it's downloaded so much is that it's a direct dependency of Facebook's "fbjs" package which is downloaded 5.7mil/week: https://www.npmjs.com/package/fbjs
https://github.com/facebook/fbjs/blob/main/packages/fbjs/pac...
Someone has already filed an issue: https://github.com/facebook/fbjs/issues/464