back to article If you're using this hijacked NPM library anywhere in your software stack, read this

The US government's Cybersecurity and Infrastructure Security Agency (CISA) has warned developers that a version of the ua-parser-js JavaScript library, available via NPM, was infected with data-stealing and cryptocurrency-mining malware. The package, which is fetched nearly eight million times a week, is used by software to …

  1. Richard 12 Silver badge

    WTF is anyone paying?

    I mean, let's assume the decryption works, and is faster than restoring your backups - both really long shots.

    There's no way you can't possibly actually trust any of the data you "get back" anyway.

    They could - and almost certainly did - put further unwelcome surprises in there. Or change a few important numbers - it's not like spotting "things that look like bank details" is hard, for example.

    1. brotherelf

      Re: WTF is anyone paying?

      The decrypt process might be better tested than the restore process, though. (What, cynical, me?)

      1. Brewster's Angle Grinder Silver badge
        Joke

        Re: WTF is anyone paying?

        Yeah, when it comes to data restoration, the ransomware folks are the professionals. They even encrypt your backups for you...

    2. J27

      Re: WTF is anyone paying?

      I'm convinced these people don't have off-site backups. So if they even had backups, they're encrypted too.

      If you can't be bothered to look after your backups, at least use an online backup service.

  2. Henry Wertz 1 Gold badge

    Sinclair

    Yup, my parents watch local news off KGAN (sinclair station); it is still autonomous enough that they didn't go off the air or have dead air instead of ads or whatever.

    But it must have killed the teleprompters, the one day they switched to another channel because the newscasters were just like "bare with us we are having technically difficulties", next day (and still I think...) they've been reading off of like 6 inches of printouts sitting in front of them.

  3. Mike 137 Silver badge

    "this hijacked NPM library ..."

    If you're using any 3rd party library check the darned code. Blindly trusting third party libraries is (sorry to use technical terminology) dumb.

    1. J27

      Re: "this hijacked NPM library ..."

      This is made very difficult by the way NPM works. Because NPM doesn't just pull down the library you want, but also the dependencies of that library, recursively. So you may have vetted one library, but missed all of it's dependencies dependencies. Add that to short development timelines (unless you're doing government work) and checking all the sources is a nearly impossible task, especially when code is updated all the time.

      Add that to the fact that the current JavaScript ecosystem is heavily dependent on NPM and you have a recipe for disaster.

      1. Pascal Monett Silver badge

        Recipe that apparently everyone is happily walking straight into, because then it's someone else's fault.

        What should be done is have a build server, make sure your code works there, then port all the used code to the production server and LOCK IT DOWN. No more calls to outside libraries, everything is on-site and under control.

        When the build server gets an update, CHECK THE UPDATE. Yes, AND ALL DEPENDANCIES.

        It's called security. Nobody said it was easy.

  4. Anonymous Coward
    Anonymous Coward

    Gotta love Microsoft for its massive PR security efforts to ensure nobody mentions the common thread in all ransomware: Windows..

    Cue downvotes and apologists..

    1. Anonymous Coward
      Anonymous Coward

      The common thread, easily openable Windows

      I was wondering this too: is there any sign yet of any drive encryption ransomware that can infect unix servers, or are they just going for the low hanging fruit?

      Sure, many of the users who will sadly fall for the "clicky link here" or "importanttt!!! file download" phishing emails may be using Windoze, but in many organisations their important work files will be stored on network drives mounted from unix servers.

      I guess potentially the payload might be able to start opening and rewriting (encrypting) files on the server that the user's account can access from the user's computer, but the chances of the malware creators additionally also shipping the right sort of executable for any of numerous Linux or other unix distros to run on the server (and the user's account actually having permissions to run executables there, and so try to worm its way from there into backups) must be pretty negligible?

      A good example of why a bit of heterogeneity is surely a good thing?

      1. Anonymous Coward
        Anonymous Coward

        Re: The common thread, easily openable Windows

        The one MASSIVE benefit that the Internet originally brought was interoperability (which is a word I needed some time to actually pronounce, but I digress :) ). It is also the single most important thing that every online vendor wants to get rid of: everyone is trying to create their own locked ecosphere..

    2. cyberdemon Silver badge
      Devil

      Github, which owns NPM these days, put out an advisory

      Should read: Microsoft, who own both GitHub and NPM these days, [don't really seem to give a shit?]

      For a package to be hosted on NPM and be available to normal users via the standard 'npm install' / 'npm update' commands, SURELY it should have to be signed-off by more than one developer, and ideally had a supervisory glance from someone at Microsoft.

      I'm sure PyPi do this.. Debian certainly do.

      Embrace, Extend... Exonerate all responsibility?

      Gotta love Microsoft for buying up the competition and then disclaiming any responsibility for good stewardship.. It's almost as if it buys the open source competitors only to let them rot and die inside its macrophage-like belly. Nah Microsoft would never do that.

  5. Lorribot

    This is why I am not a fan of open source software. One bloke maintaining a vital bit of software in shed with bad browsing habits, a lax attitude to security and passwords could bring your company to its knees.

    Yes I know it is not all of them but do you know for certain which are good, safe, secure well maintained, patched in a timely manner and which are not all of those?

    1. J27

      Those are the perils of open-source software. Closed-source software suffers from having no insight on the inner workings at all. It could be riddled with flaws and if the developer walks off you're totally SOL. You also missed the point if you have issues with open-source software you can fix them yourself (maybe you can't, but I definitely can).

      There is no panacea, but I think software that's developed open-source but with a big corporation paying the bills is a good middle ground. E.G. .NET Core, My SQL. That way you know it's likely to keep going, but if it doesn't you can pick up the code and fix it yourself or maybe someone else will.

  6. Anonymous Coward
    Anonymous Coward

    only fuckwits use NPM

    You have to be a fuckwit to use NPM.

    Also if your including shit not hosted on your own server, your a fucking idiot. (have you seen how many external sites a lot of "professional" web sites, pull crap from!!, I've seen quite a few that pull from as many as 50+domains, fucking crazy!).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like