Compromised NPM packages of ua-parser-JS (0.7.29, 0.8.0, 1.0.0) (opens in new tab)

discussion is already going on reddit: https://www.reddit.com/r/programming/comments/qdlela/breakin...

The compromised package: https://www.npmjs.com/package/ua-parser-js

7,680,657 downloads a week

Version 0.7.28 is still good, anything above that is compromised

> 0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.

Probably one of the biggest reasons it's downloaded so much is that it's a direct dependency of Facebook's "fbjs" package which is downloaded 5.7mil/week: https://www.npmjs.com/package/fbjs

https://github.com/facebook/fbjs/blob/main/packages/fbjs/pac...

Someone has already filed an issue: https://github.com/facebook/fbjs/issues/464

Maintainer already released clean versions "on top of" the compromised ones, and NPM acted on reports and removed the compromised versions as well.

Compromised (and no longer downloadable from NPM):

- 0.7.29

- 0.8.0

- 1.0.0

Clean:

- 0.7.28 (last version before the hijack)

- 0.7.30

- 0.8.1

- 1.0.1

Compromised versions apparently contained a cryptomining tool capable of running on Linux, and a trojan that extracts sensitive data (saved passwords, cookies) from browsers on Windows. Both are blocked by up-to-date Windows Defender and presumably other AV software.

For those looking, this is the diff. I'd be really curious how that got in.

https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

id abandon the entire name spzce.