Security News
Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper. Js, a Roblox game API wrapper available on NPM and as a standalone download. Roblox is a gaming platform with more than 40 million daily active users.
Malicious NPM packages pretending to be Roblox libraries are delivering ransomware and password-stealing trojans on unsuspecting users. In a new report by open source security firm Sonatype with further analysis by BleepingComputer, these malicious NPMs are infecting victims with an MBRLocker ransomware that impersonates the notorious GoldenEye ransomware, trollware, and a password stealing trojan.
The US government's Cybersecurity and Infrastructure Security Agency has warned developers that a version of the ua-parser-js JavaScript library, available via NPM, was infected with data-stealing and cryptocurrency-mining malware. The NPM account hosting it was seemingly compromised by miscreants, who modified the package so that when installed, it would bring in various bits of malware on whatever system was running the code.
The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to remove three rogue packages that were found to mimic the same library. The supply-chain attack targeting the open-source library saw three different versions - 0.7.29, 0.8.0, 1.0.0 - that were published with malicious code on Thursday following a successful takeover of the maintainer's NPM account.
Hackers hijacked the popular UA-Parser-JS NPM library, with millions of downloads a week, to infect Linux and Windows devices with cryptominers and password-stealing trojans in a supply-chain attack. The UA-Parser-JS library is used to parse a browser's user agent to identify a visitor's browser, engine, OS, CPU, and Device type/model.
Three JavaScript libraries uploaded to the official NPM package repository have been unmasked as crypto-mining malware, once again demonstrating how open-source software package repositories are becoming a lucrative target for executing an array of attacks on Windows, macOS, and Linux systems. The malicious packages in question - named okhsa, klow, and klown - were published by the same developer and falsely claimed to be JavaScript-based user-agent string parsers designed to extract hardware specifics from the "User-Agent" HTTP header.
A widely used NPM package called 'Pac-Resolver' for the JavaScript programming language has been remediated with a fix for a high-severity remote code execution vulnerability that could be abused to run malicious code inside Node.js applications whenever HTTP requests are sent. A Proxy Auto-Configuration file is a JavaScript function that determines whether web browser requests should be routed directly to the destination or forwarded to a web proxy server for a given hostname.
The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages. On further review of the researchers' reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.
Perry rediscovered this risk recently, when he decided to use a popular NPM package called Proxy-Agent to provide the proxy support he wanted in his HTTP Toolkit product. Numerous corporate-style tools exist to help computers on a network locate their official internal proxies automatically, including PAC, short for proxy auto-configuration, and WPAD, short for web proxy auto-discovery.
A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads. An npm package called "-" has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.