discussion is already going on reddit: <a href="https://www.reddit.com/r/programming/comments/qdlela/breaking_npm_package_uaparserjs_with_more_than_7m/" rel="nofollow">https://www.reddit.com/r/programming/comments/qdlela/breakin...</a><p>The compromised package: <a href="https://www.npmjs.com/package/ua-parser-js" rel="nofollow">https://www.npmjs.com/package/ua-parser-js</a><p>7,680,657 downloads a week<p>Version 0.7.28 is still good, anything above that is compromised<p>> 0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.<p>Probably one of the biggest reasons it's downloaded so much is that it's a direct dependency of Facebook's "fbjs" package which is downloaded 5.7mil/week: <a href="https://www.npmjs.com/package/fbjs" rel="nofollow">https://www.npmjs.com/package/fbjs</a><p><a href="https://github.com/facebook/fbjs/blob/main/packages/fbjs/package.json#L72" rel="nofollow">https://github.com/facebook/fbjs/blob/main/packages/fbjs/pac...</a><p>Someone has already filed an issue: <a href="https://github.com/facebook/fbjs/issues/464" rel="nofollow">https://github.com/facebook/fbjs/issues/464</a>
Maintainer already released clean versions "on top of" the compromised ones, and NPM acted on reports and removed the compromised versions as well.<p>Compromised (and no longer downloadable from NPM):<p>- 0.7.29<p>- 0.8.0<p>- 1.0.0<p>Clean:<p>- 0.7.28 (last version before the hijack)<p>- 0.7.30<p>- 0.8.1<p>- 1.0.1<p>Compromised versions apparently contained a cryptomining tool capable of running on Linux, and a trojan that extracts sensitive data (saved passwords, cookies) from browsers on Windows. Both are blocked by up-to-date Windows Defender and presumably other AV software.
For those looking, this is the diff. I'd be really curious how that got in.<p><a href="https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29" rel="nofollow">https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29</a>