ua-parser-js Crypto Mining backdoor

Vulnerability

Versions 0.7.29, 0.8.0, and 1.0.0 of the ua-parser-js npm package were found to contain a backdoor in the crypto mining component [1][2][3]. The package is a JavaScript library for user-agent detection, widely used in both client-side and Node.js environments. The compromised versions were hijacked and modified to include malicious code, affecting any application that installed these versions via npm.

Exploitation

An attacker with the ability to distribute the compromised npm packages (achieved through account hijacking) could cause exploitation. An end-user or developer who installed version 0.7.29, 0.8.0, or 1.0.0 would execute the malicious code during npm install or when the library was loaded. No additional authentication or user interaction beyond the install process is required. The backdoor specifically targets the crypto mining component, enabling unauthorized cryptocurrency mining on the infected host.

Impact

Successful exploitation results in unauthorized execution of a cryptocurrency miner on the affected system [1][2]. This can lead to resource exhaustion (CPU, memory, power), degraded system performance, and potential additional compromise if the miner communicates with external servers. The impact is rated as critical due to the stealthy nature of the backdoor and the potential for widespread use of the library.

Mitigation

The vulnerability is addressed in versions 0.7.30, 0.8.1, and 1.0.1 [1]. Users should immediately upgrade to these or later versions. For those unable to upgrade, a workaround is to pin the package version to a known safe version such as 0.7.28 or to use a different user-agent detection library. The compromised versions have been removed from npm, and the package maintainers have released patches. This CVE does not appear in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date.