CISA Warning: Malicious code injected into JavaScript library UAParser.js!
by Svenja Koch
The US authority CISA has issued a security warning and warns of attacks with malicious code via the widely used npm libraries. Where and how did the infection take place?
The affected JavaScript library UAParser.js is hosted on GitHub. GitHub is a platform used by software developers to access repositories containing just such program libraries. These libraries on GitHub are open source. The developers then integrate the required libraries into their own products. The purpose of GitHub is to have a central contact point for libraries so that the updating of programmes is simplified. A package manager takes care of updating individual libraries in the repository that are part of a finished software product. The platform has been part of the Microsoft group since 2018.
Independent developers who publish their own programme libraries are active on GitHub. This was also the case with the now infected JavaScript library UAParser.js. The software developer behind this library operates under the nickname faisalman and comes from Indonesia. He commented on GitHub shortly after the CISA security warning. There he stated that either his email account or his npm account had been hacked. The attackers gained access to his account on GitHub via this route. Then they infected the open-source JavaScript library UAParser.js with their own malicious code and published it as a version update on GitHub.
In which npm library is the malicious code present?
Three versions of the JavaScript library UAParser.js are affected. These are 0.7.29, 0.8.0 and 1.0.0. The owner of the library released corrected and secure version updates only a short time after the hack. These are available for download under the version numbers 0.7.30, 0.8.1 and 1.0.1.
Who is affected and how does the infected npm library get onto target computers?
First and foremost, all software products that use the JavaScript library UAParser.js are potentially affected. This library provides a rather general function, because it recognises the operating system, the processor, the browser and some other key data of the computer. For the end user, it is hardly comprehensible on which repositories a software is based that he or she uses. Since this library is used in open source software, programmes from this area are affected. It is known that the library is used in many programmes even by large IT companies. Google, Amazon, Facebook, IBM and also Microsoft use this npm package.
End users are also only at risk if the software developers have included the infected library in their product and published it as an update. This happens via so-called dependencies. In some cases, such processes are automated. This means that as soon as a library is updated on GitHub, the software that uses it is also updated via the dependencies. The updates are then distributed directly via GitHub. Accordingly, downloads of programme libraries on GitHub are frequent. The download history for the affected library JavaScript library UAParser.js shows that almost eight million downloads were made in the previous week alone. According to estimates based on the library's weekly download numbers, about 188,000 users received the infected version.
Reports from users indicate that one application affected is the publishing software docusaurus. Here, an update occurred during the course of Friday. Those who used this software and installed the official update of docusaurus also simultaneously and unintentionally installed the malicious code that the hackers had placed in the JavaScript library UAParser.js. Accordingly, these computers are most likely compromised.
What is the function of the malicious code placed by the attackers in the npm library?
From analyses of the open source code, it can be seen what function the code has that the hackers placed in the library. In the course of Saturday, i.e. one day after the CISA security warning, it became apparent that two components are involved. Both are scripts that trigger a download of executable files and execute them on the target system.
The first component loads a so-called mining tool for cryptocurrencies onto the computer and starts it. Mining tools generate units in cryptocurrencies such as Bitcoin by providing computing power. In this way, these programmes exchange computing time for monetary benefits. The mining tool fully loads the computer, which leads to unpleasant side effects. For example, programmes react more slowly, the main memory is filled and the power consumption increases enormously in some cases. Thus, real costs also arise for the owners of such computers that are infected with a mining tool. The attackers probably combine the compromised computers into a botnet and thus concentrate the computing power. In this way, the hackers maximise the computing power as well as the financial benefits from the attack. At the end of October 2021, the value of a Bitcoin is over 50,000 euros, so such large-scale attacks with mining tools are well worthwhile.
The second component is a Trojan. This seems to only run under Windows operating systems. The Trojan steals access data from the user's browser and sends it to the attackers. During observations of infected computers, it was found that the malware exports the database of the Chrome browser, which contains information about local cookies.
This second function of the malicious code is thus significantly more dangerous for the affected computer owners. While the mining tool does affect the use of the PC, the Trojan has the potential to steal access data for online banking, email accounts or company passwords.
What measures are necessary?
First of all, an update of the affected programmes that use the infected JavaScript library UAParser.js is necessary. However, this is not enough to contain the infestation and the danger. Since the code reloads independent files, they remain active on the computer even if the library has been updated or even removed. Malware removal tools can be used to remove the keylogger and the mining tool if necessary. At the same time, even this is no guarantee that no damage has occurred or that further damage will occur, as the hackers may already be in possession of passwords and access data. Therefore, infected computers are to be considered completely compromised.
In such a case, the safest thing to do is to completely isolate the computer immediately. All passwords, both local and for web services, must be changed, as the hackers may have control over the accounts. It is important to do this with a computer that is not infected. To clean up the infected computer with certainty, it is necessary to reinstall the operating system. This is the only way to ensure that the malware is no longer embedded in the operating system.
Conclusion
Open source software in particular is considered secure because the entire source code of all parts of the programme, including the libraries used, is publicly accessible. At the same time, IT security experts have often pointed out the vulnerability of repositories like npm. The current example and the CISA security warning show that hackers are quite successful with attacks on repositories.
The actual infection is comparatively simple. It is sufficient to gain control over the GitHub account of a software developer who manages a library. There are numerous known possibilities for this, such as phishing or social engineering. The infiltration of the malicious code and the upload to GitHub are then a matter of minutes. A lot of time passes before the software developer responsible reacts or a third party notices the hack. During this time, it is likely that the malicious code has already found its way onto the computers of unsuspecting users. The Weak Link is thus a single private individual, with the impact, as in this case, affecting even the largest IT companies in the industry, from Amazon to IBM to Microsoft.