ua-parser-js hijack shipped malware

ua-parser-js sat low in the stack and high in the graph. It parsed user-agent strings. Most applications did not depend on it by choice; they received it through other packages. On October 22, 2021, a hijacked npm account published malicious versions 0.7.29, 0.8.0, and 1.0.0 under the real package name.

The delivery was the install script. Windows and Linux hosts that installed the poisoned versions could fetch and run additional binaries. The payload attempted credential theft, including OS passwords, browser cookies, and Discord tokens, and also installed cryptomining malware.

The package made the platform split explicit. The poisoned archives carried preinstall scripts and binaries with names such as jsextension, jsextension.exe, create.dll, and sdd.dll, giving the attacker different paths for Linux and Windows machines while keeping the npm package coordinate unchanged.

The response matched the trust failure. GitHub's advisory told users to treat affected machines as fully compromised and rotate secrets from clean hosts. The lesson was simple: a parser with millions of weekly downloads is infrastructure, even when no one thinks of it that way.

Motive

Financial Gain

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

UNC3379

User Impact

8000000

• GitHub Advisory: Embedded malware in ua-parser-jsgithub.com
• Security issue: compromised npm packages of ua-parser-jsgithub.com
• No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packagescloud.google.com