×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

A Vulnerability In an NPM Package Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2021-136

DATE(S) ISSUED:

10/23/2021

OVERVIEW:

A vulnerability has been discovered in the NPM package ua-parser-js that could allow for remote code execution upon installation of the affected versions. NPM is the default package manager for the Javascript runtime environment Node.js and ua-parser-js is a popular package within NPM that is used for detecting browser, engine, OS, CPU and device type and model information from User-Agent data.

THREAT INTELLIGENCE:

There are reports of this vulnerability being actively exploited for malicious purpose.

SYSTEMS AFFECTED:

  • ua-parser-js version 0.7.29, 0.8.0, and 1.0.0

RISK:

Government:
  • Large and medium government entities: MEDIUM
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: MEDIUM
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in the NPM package ua-parser-js that could allow for remote code execution upon installation of the affected versions. Malicious actors uploaded a version of ua-parser-js that contains several malicious scripts. The scripts are executed during installation and download additional malicious files that have been reported to run a cryptocurrency miner, steal saved passwords, export OS credentials, and copy the cookies database file from Chrome.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by NPM to vulnerable systems immediately after appropriate testing.
  • All secrets and keys stored on infected machines should be rotated immediately from a different machine.
  • Remind users not to download, accept or execute files from untrusted and unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by untrusted or unknown sources.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0