A Vulnerability In an NPM Package Could Allow for Remote Code Execution
MS-ISAC ADVISORY NUMBER:2021-136
There are reports of this vulnerability being actively exploited for malicious purpose.
- ua-parser-js version 0.7.29, 0.8.0, and 1.0.0
- Large and medium government entities: MEDIUM
- Small government entities: MEDIUM
- Large and medium business entities: MEDIUM
- Small business entities: MEDIUM
A vulnerability has been discovered in the NPM package ua-parser-js that could allow for remote code execution upon installation of the affected versions. Malicious actors uploaded a version of ua-parser-js that contains several malicious scripts. The scripts are executed during installation and download additional malicious files that have been reported to run a cryptocurrency miner, steal saved passwords, export OS credentials, and copy the cookies database file from Chrome.
We recommend the following actions be taken:
- Apply appropriate patches provided by NPM to vulnerable systems immediately after appropriate testing.
- All secrets and keys stored on infected machines should be rotated immediately from a different machine.
- Remind users not to download, accept or execute files from untrusted and unknown sources.
- Remind users not to visit untrusted websites or follow links provided by untrusted or unknown sources.