Supply Chain Incident
ua-parser-js npm package account compromise
Malicious versions of ua-parser-js were published to npm after maintainer account compromise, delivering credential-stealing and cryptomining payloads.
Executive Summary
The ua-parser-js incident is modeled as an npm maintainer-account compromise that allowed malicious package versions to be published.
The corpus records both credential theft and cryptomining impact categories because the malicious versions delivered those payload classes.
Timeline
-
Malicious versions disclosed
The incident was publicly documented on the same date recorded for first observation and disclosure in the corpus.
Attack Chain
-
Maintainer account compromise
The compromise path is represented as account compromise because a package-registry maintainer account enabled malicious publication.
-
Malicious npm publication
The malicious versions were distributed through the npm registry under the ua-parser-js package name.
-
Payload execution risk
The recorded payload categories are credential theft and cryptomining, matching the incident's package-level impact model.
Affected Ecosystem
The affected ecosystem is npm, with ua-parser-js preserved as the package entity and npm as the distribution channel.
Defensive Lessons
Registry account compromise should be treated as a direct package-publication risk, even when source repositories are not the primary compromise point.
Consumers should be able to identify and quarantine known malicious package versions quickly when a package registry account is abused.
Detection Notes
Useful pivots include the ua-parser-js package name, npm registry publication activity, and references to credential-stealing or cryptomining payload behavior.
Open Questions
The corpus records the compromised npm maintainer account path but does not identify a named attacker or broader intrusion cluster.
Affected Packages
Affected Releases
- ua-parser-js@0.7.29 pkg:npm/ua-parser-js@0.7.29 · published 2021-10-22 Release
- ua-parser-js@0.8.0 pkg:npm/ua-parser-js@0.8.0 · published 2021-10-22 Release
- ua-parser-js@1.0.0 pkg:npm/ua-parser-js@1.0.0 · published 2021-10-22 Release
Repositories
No structured records.
Organizations
No structured records.
Maintainers
No structured records.
Threat Actors
No structured records.
Campaigns
No structured records.
Build Systems
No structured records.
Distribution Channels
- npm registry
Compromised Accounts
- ua-parser-js npm maintainer account
Connected Entities
- npm registry Distribution Channel
- ua-parser-js Package
- ua-parser-js npm maintainer account Compromised Account
- ua-parser-js@0.7.29 Release
- ua-parser-js@0.8.0 Release
- ua-parser-js@1.0.0 Release
References
- Malware in ua-parser-js GitHub Advisory Database · 2021-10-22