Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY-ISSUE: node_module dependency "ua-parser-js" is hijacked by malware #5769

Closed
5 tasks done
alex-drocks opened this issue Oct 22, 2021 · 6 comments
Closed
5 tasks done

SECURITY-ISSUE: node_module dependency "ua-parser-js" is hijacked by malware #5769

alex-drocks opened this issue Oct 22, 2021 · 6 comments
Labels
bug An error in the Docusaurus core causing instability or issues with its execution

Comments

@alex-drocks
Copy link

alex-drocks commented Oct 22, 2021
edited

馃悰 Bug Report

ua-parser-js version 0.7.29 and higher contain malware
faisalman/ua-parser-js#536 (comment)

Prerequisites

  • I'm using the latest version of Docusaurus.
  • I have tried the npm run clear or yarn clear command.
  • I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
  • I have tried creating a repro with https://new.docusaurus.io
  • I have read the console error message carefully (if applicable)

Description

one of the dependency installed with npm install of the latest docusaurus version was hijacked by a malware executable file. See above mentionned github issue link where you will get more details.
@alex-drocks alex-drocks added bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers labels Oct 22, 2021
@azinit
Copy link

azinit commented Oct 22, 2021

@alex-drocks Maybe mark as "SECURITY-ISSUE:" at title too ?

@alex-drocks alex-drocks changed the title node_module dependency "ua-parser-js" is hijacked by malware SECURITY-ISSUE: node_module dependency "ua-parser-js" is hijacked by malware Oct 22, 2021
rogeruiz added a commit to transcom/mymove-docs that referenced this issue Oct 22, 2021
@rogeruiz @felipe-lee
Resolve UA Parser JS to version 0.7.28;
838361b 
This came up in #infrasec-random as a security vulnerability. See the
[Slack thread here for more context][slack]

[slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500

See related security announcements here:

- faisalman/ua-parser-js#536
- facebook/docusaurus#5769

Co-authored-by: Felipe Lee <felipe@truss.works>
@rogeruiz rogeruiz mentioned this issue Oct 22, 2021
Merged
rogeruiz added a commit to transcom/mymove that referenced this issue Oct 22, 2021
@rogeruiz @felipe-lee
Resolve UA Parser JS to version 0.7.28;
292119c 
the [Slack thread there for more context][slack] 馃敀.

[slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500

See related security announcements here:

- faisalman/ua-parser-js#536
- facebook/docusaurus#5769

Co-authored-by: Felipe Lee <felipe@truss.works>
rogeruiz added a commit to transcom/mymove that referenced this issue Oct 22, 2021
@rogeruiz @felipe-lee
Resolve UA Parser JS to version 0.7.28;
1edef29 
This came up in Truss #infrasec-random as a security vulnerability. See
the [Slack thread there for more context][slack]

[slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500

See related security announcements here:

- faisalman/ua-parser-js#536
- facebook/docusaurus#5769

Co-authored-by: Felipe Lee <felipe@truss.works>the [Slack thread there for more context][slack] 馃敀.

[slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500

See related security announcements here:

- faisalman/ua-parser-js#536
- facebook/docusaurus#5769

Co-authored-by: Felipe Lee <felipe@truss.works>
rogeruiz added a commit to transcom/mymove that referenced this issue Oct 22, 2021
@rogeruiz @felipe-lee
Resolve UA Parser JS to version 0.7.28;
0cfacdf 
This came up in Truss #infrasec-random as a security vulnerability. See
the [Slack thread there for more context][slack]

[slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500

See related security announcements here:

- faisalman/ua-parser-js#536
- facebook/docusaurus#5769

Co-authored-by: Felipe Lee <felipe@truss.works>
@rogeruiz rogeruiz mentioned this issue Oct 22, 2021
Merged
@lex111
Copy link
Contributor

lex111 commented Oct 25, 2021

Looks like this security vulnerability in our transitive dependency ua-parser-js is fixed now, and malware code is not available for download, so please reinstall your npm packages. Or at least make sure, that your package-lock.json or yarn.lock file not contains ua-parser-js with one of these versions: 0.7.29, 0.8.0, 1.0.0.

@lex111 lex111 closed this as completed Oct 25, 2021
@alex-drocks
Copy link
Author

thanks for looking at the issue. Please do not close it yet. The beta-8 is still linked to the issue. I really suggest bumping out of the compromised versions range of ua-parser-js even if those packages were removed at the source. It is a major security issue not a simple potential problem. I tried to reinstall beta-8 a few minutes ago and it does not install properly. It cannot start the dev server. There is still dust falling down around the issue. It should be visible.

@Josh-Cena
Copy link
Collaborator

The malicious versions had been removed from the NPM registry. The versions should now resolve to 0.7.30 / 0.8.1 / 1.0.1 which are clean versions. Tried with a fresh install myself and I got 0.7.30.

@alex-drocks
Copy link
Author

The malicious versions had been removed from the NPM registry. The versions should now resolve to 0.7.30 / 0.8.1 / 1.0.1 which are clean versions. Tried with a fresh install myself and I got 0.7.30.

Good to know. Thank you for checking. In my case the install failed but it was not a fresh install (its an active project which was at beta-6)

@slorber
Copy link
Collaborator

slorber commented Oct 27, 2021

Expo has a good write-up on this:
https://blog.expo.dev/ua-parser-js-and-malicious-npm-packages-8c13ee4141a

@Josh-Cena Josh-Cena mentioned this issue Oct 27, 2021
Closed
5 tasks
@Josh-Cena Josh-Cena removed the status: needs triage This issue has not been triaged by maintainers label Feb 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug An error in the Docusaurus core causing instability or issues with its execution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@slorber @lex111 @azinit @Josh-Cena @alex-drocks