ua-parser-js Credential Stealer Campaign - 2021
Compromised npm package distributing credential stealing malware
Incident Intelligence
FikreSekhel Research is tracking this campaign as a software supply chain compromise involving install-time execution paths.
Supply Chain Compromise
Malicious versions of ua-parser-js were published to npm and distributed malware targeting developers and build environments.
Severity
Critical
Status
Ecosystem
JavaScript
Affected packages
1
Primitive
Install-time Malware Execution
Attack surface
npm install
Trust boundary
Package registry -> Developer workstation
Published
2021-10-22
Attack Path
Compromised package
→
npm install
→
Install-time Malware Execution
→
Install-time execution
→
Credential exposure
→
CI/CD compromise
Technical Context
Compromised releases delivered credential theft and cryptomining payloads during installation.
Observed Behavior
Malicious code executed automatically during dependency installation.
Security Implication
Developer workstations and CI/CD environments were exposed to malware execution.
Recommended Actions
Remove affected versions, rotate credentials and review build environments.
| Severity | Package | Affected versions | CWE | Exploit maturity | Remediation |
|---|---|---|---|---|---|
| Critical |
ua-parser-js Credential Stealer And Cryptominer Distribution |
0.7.29, 0.8.0, 1.0.0 | CWE-506 | Observed In The Wild | Upgrade to clean releases and rotate credentials. |