-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js #536
Comments
Ouch does that mean like there's malicious code in it or something? |
I just update package and windows defender block "ceprolad.a" a trojan. I don't have any internet access at the same moment... |
Update - We all need to fix |
@faisalman i hope you can revert versions with vulnerabilities? |
0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage. |
Revert back to 0.7.28 all greater version are infected. My computer was infected this morning when i updated my docusaurus version. NPM official flag: https://www.npmjs.com/package/ua-parser-js |
The best solution is to publish the 0.7.30 version without the vulnerability. Then ^ will jump to the vulnerable version |
Hi all, very sorry about this. I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my npm account and published some compromised packages ( I have sent a message to NPM support since I can't seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message. |
@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that. |
I think we should publish new versions above that this hijected versions. Like: |
Little problem with that decision - it will be hard to remove this versions in a future. So, ua-parser-js will need up version to 2.0.0, when want to push real updates |
Extra carefulness required because it seems to be affecting linux machines as well, make sure the miner doesn't get installed in your servers & ci stuff For now it seems to only hang in installing because the url containing the infection doesn't seem to be working, but it may not last Linux users can use this command to see if the miner is running or not and stop it : |
That's right but it's a safest method I think. You can continue with version 2.0.0 and users don't specify a specific version will not be affected. |
Yes I've sent the report using that form, hope they can just be removed. Otherwise, I have to publish under new versions. |
This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little. |
Does it? I'd have to change all my passwords. |
You're right.. Ok then |
I've dropped the DLL it runs to a virustotal (before unplugging the ethernet): https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/behavior |
We fixed it using this in our package.json : |
Done. Thanks for the suggestion 👍 |
a solution that we're using to address this vulnerability is to set the resolutions in pacakge.json to use the last good version:
That resolution will come in handy when using a library that depends on the latest of |
* FIX: Wechat Desktop for Windows compatible with new version * Move to check typeof for window for different envs * Fix faisalman#413 Bug resulting Motorola model O * Fix faisalman#367 faisalman#425 Detect Instagram in-app browser * Add funding support links * Fix faisalman#450 Sony Xperia Z2 Tablet * Fix faisalman#454 Improve Samsung detection * Add Nintendo Switch * Fix faisalman#366 Amazon Alexa Echo Show * Fix faisalman#339 Add Weibo * Fix faisalman#407 ZTE Nubia misidentified as Nextbook Tablet * FIX: new wechat desktop's unsafe regex * Fix faisalman#433 faisalman#434 Huawei devices * Fix faisalman#475 Nokia version incomplete * Fix faisalman#470 Identify Android TV as SmartTV * Latest Xperia lineup * Fix faisalman#430 Playstation 5 * Fix faisalman#449 Lenovo Tablet * Casually save some bytes * Fix faisalman#401 Rearrange the order of regexes to improve hit-rate performance * Fix faisalman#427 - Trying GitHub Actions * Change mocha reporter for CI * Action doesn't work, should be under /.github/workflows folder perhaps * Fix faisalman#438 Add Zebra devices * Update README contents & structures * Enforce maximum limit to user-agent input * Move documentation upwards and..mAkE tHe LoG0 BiG99eR!!1!1! * Add CDN links & insert npm fund * Fix faisalman#422 Add ARMHF in CPU Arch detection * Fix faisalman#279 Remap old Edge versions <= 44 as suggested by @mikemaccana @callaginn * Fix faisalman#448 Add AT&T & Vodafone devices * Fix faisalman#209 Add CHANGELOG * Add Electron * Simplify Huawei detection * Release as 0.7.25 * Refine some OS detection * Add new OS: Raspbian * Add Device: Surface Duo * Add some test cases for Samsung, Huawei, Xiaomi * Detect ARMEABI as ARM * Casually save some bytes * Refine some detection with more test cases * Add new device.vendor: Vivo * Fix faisalman#342 - Enforce all regexes to comply with safe-regex as a safeguard against possible ReDoS vulnerability * Fix regexes that were marked as unsafe by safe-regex module * Refine device detection with more test cases * Add new device.vendor: Realme * Release as 0.7.26 * Better tablet detection: - Huawei MediaPad M/T - Galaxy Tab SM-P - Kindle Fire without Silk * Better tablet detection: - Fix lenovo phone / tablet detection * Better tablet detection - Build. * Better tablet detection: - iPad using Facebook browser on some occasions - More Huawei tablets - Asus ZenPad Z8s (P00J) * Small refactor * Add new Engine & Browser: Flow * Add new browser: Firefox Reality * Add new device: Fairphone * Add string check to setUA method * Release as 0.7.27 * More test for latest phones with unique form factor (fold/flip/qwerty/swivel) * Add new device & browser: Tesla * Minor rearrangement * More test for tablet devices * Update contributor list * Fix faisalman#492 LG TV WebOS detection * Delete redundant code * Refactor code: saving bytes towards 15KB minified * Update readme: use https for demo link * Test for Firefox UAs, add new browser: Klar, add new OS: Maemo Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox * Revert breaking fix faisalman#279 and release as 0.7.28 * Improve detection rule for Mac on PowerPC * Improve device detection: categorize PDA as mobile * Improve browser detection: Netscape with version * Improve os detection: Windows Mobile without version * Add new OS: HP-UX * Add new browsers: Obigo, UP.Browser * Add new device vendor: Roku Source: https://github.com/WhichBrowser/Parser-PHP/blob/master/tests/data/television/roku.yaml * Refine some OS detection Source: - https://www.zytrax.com/tech/web/browser_ids.htm - https://developers.whatismybrowser.com/useragents/explore/operating_system_name/ * Remove oldEdge map * Replace `\s` with space, saving ~0,3KB * ES3 compat-fix: remove trailing comma * Improve device detection: Huawei, Xiaomi, Realme, LG, OnePlus, ASUS, ZTE, Fairphone * Improve CPU detection for ARM64 * Improve device detection: LG Android TV * Add new OS: Android-x86, Deepin, elementary OS, GhostBSD, Linspire, Manjaro, Sabayon User-Agent source: whatismybrowser.com * Fix faisalman#500 Sharp devices misjudged as Huawei devices * Fix faisalman#506 - add test for Huawei ART-L29 * Fix faisalman#509 add support for Internet Explorer 8 * Create SECURITY.md A simple instruction for security researchers. * Improve regex efficiency when trimming long ua string https://blog.stevenlevithan.com/archives/faster-trim-javascript * Add Huawei models * Sony Xperia 1ii * Samsung Galaxy S20 5G * Add different oculus browser * Oculus devices * cleanup * cleanup * change to single line regex * Enable to detect OPPO Reno5 A correctly. * Securing the 0.7.x version (issue faisalman#536) * Securing the 0.8.x version (issue faisalman#536) * Securing the 1.x version (issue faisalman#536) * feat: require the use of `===` and `!==` * Update ua-parser.js * ✨ Use AST to verify whether regexes are safe * Bump version 0.7.31 * Fix faisalman#559: Sony Xperia 1 III misidentified as Acer tablet * Fix faisalman#533: Detect Sony BRAVIA as SmartTV * Fix faisalman#562 - Xiaomi Mi CC9 * Fix faisalman#561 - Increase UA_MAX_LENGTH to 275 * pr feedback * v100 tests * Add support for HuaweiBrowser * update readme * package.json: specify the folders to include * add KakaoTalk App, KakaoStory App regex * Add Kakao App, Naver App * Add iOS Naver, Kakao regex * fix browser-test typo * Add LinkedIn app. * Rename 'HuaweiBrowser' to 'Huawei Browser' * Fix faisalman#565 - Add new OS: HarmonyOS * Fix faisalman#558 - WeGame mistakenly identified as WeChat * Increase UA_MAX_LENGTH to 350 * Fix faisalman#532 - Detect Xiaomi Mi TV as smarttv * Fix faisalman#513 - Add new browser: DuckDuckGo * Fix faisalman#516 - Add Focus into list of possible browser.name * ci: add GitHub token permissions for workflow Signed-off-by: Varun Sharma <[email protected]> * fixed sony bravia smart tv, added sharp AQUOS TV * Safari and Mobile Safari began to include commas in the minor version numbers. * Fix faisalman#502 faisalman#580 : Add notice for desktop device type * Refine small redundancy * Fix faisalman#596 - Detect Galaxy Tab S8 as tablet * Add test case * improved documentation * Bump version 0.7.32 * Add new browser: Cobalt * Fix documentation `readme.md` refers to a `parser.getResults` function, which does not exist. This PR corrects the function name to `getResult`. * Support Panasonic Viera Smart TVs * Support Panasonic 2018+ smart tvs * Add test for panasonic 2020 smart tv * Add test for panasonic SAT receiver * Support Loewe Smart TVs * Add tests for JVC smart tvs * Support philips smart tvs * Add samsung testcases * Add support for TechniSAT TVs and SATs * Fix faisalman#605 - Identify Macintosh as Apple device * Remove unsafe regex in trim() function `trim()` function contains a regular expression that is vulnerable to ReDoS but was uncaught by `safe-regex` module. * Bump version 0.7.33 * Fix faisalman#557 faisalman#612 faisalman#629 - Update the changelog * Fix faisalman#621 - Detect Oculus Quest Pro * Utilize navigator.userAgentData as a fallback faisalman#588 * Improve Kakao/Naver detection + add test * Fix faisalman#619 - Move Sharp up to be checked before Huawei * Rearrange the recently added smarttv detection * Fix faisalman#620 - Add new Device: Kobo * Fix faisalman#601 - Detect Chrome OS without version * Update manifest * fix: Don't act as a jQuery plugin * build: 0.7.24 custom version * Rebuilt min versions --------- Signed-off-by: Varun Sharma <[email protected]> Co-authored-by: ruicong <[email protected]> Co-authored-by: David Annez <[email protected]> Co-authored-by: Faisal Salman <[email protected]> Co-authored-by: sUP <[email protected]> Co-authored-by: o.drapeza <[email protected]> Co-authored-by: liujunlve <[email protected]> Co-authored-by: Ziding Zhang <[email protected]> Co-authored-by: Paris Morgan <[email protected]> Co-authored-by: Ryohei Shima <[email protected]> Co-authored-by: chenhui9279 <[email protected]> Co-authored-by: sunny-mwx <[email protected]> Co-authored-by: Hans Ott <[email protected]> Co-authored-by: XhmikosR <[email protected]> Co-authored-by: KnifeLemon <[email protected]> Co-authored-by: Dante <[email protected]> Co-authored-by: JBYoshi <[email protected]> Co-authored-by: Varun Sharma <[email protected]> Co-authored-by: Jacky Choo <[email protected]> Co-authored-by: nabetama <[email protected]> Co-authored-by: kNoAPP <[email protected]> Co-authored-by: Mok <[email protected]> Co-authored-by: Oscar Becerra <[email protected]> Co-authored-by: Riley Shaw <[email protected]> Co-authored-by: Garrit Franke <[email protected]> Co-authored-by: Garrit Franke <[email protected]> Co-authored-by: smoroz <smoroz> Co-authored-by: Spencer Wilson <[email protected]> Co-authored-by: Luis Rivas <[email protected]>
Hi!
See a warning at npm - https://www.npmjs.com/package/ua-parser-js -
This package has been hijacked. Please revert to 0.7.28
First question - Can we use range
^0.7.28
, or it is not safe?Second question - Will you create a new package, or try to remove hijacked versions and continue update this package?
The text was updated successfully, but these errors were encountered: