"From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage," a GitHub user said on Friday.īut on Windows systems, the scripts would also download and execute an infostealer trojan (possibly a version of the Danabot malware) that contained functionality to export browser cookies, browser passwords, and OS credentials, according to another GitHub user's findings.īecause of the large number of downloads and the big-name corporations that relied on the library, the US Cybersecurity and Infrastructure Security Agency (CISA) published a security alert late Friday night about the incident, urging developers to update to the safe versions. Binaries were provided for both Linux and Windows platforms. Hours after discovering the hack, Salman pulled the compromised library versions-to prevent users from accidentally infecting themselves-and released clean ones.Īnalysis of the malicious code revealed extra scripts that would download and execute binaries from a remote server. "I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware," said Faisal Salman, author of the UAParser.js library.
0 Comments
Leave a Reply. |