Uaparser.js NPM Package Supply Chain Attack: Impact and Response
At the very least, check package caches on developer machines for malicious versions and check for running malware. The most dangerous time-period seems to have been Friday 22 between ~12:15 and 16:27 UTC when the malware was tagged as the latest versions. Malware embedded into package managers can endanger many parts of an environment. If:. You added the malicious versions to your package. Had a direct or indirect dependency on the package in question, without explicitly locking down versions. What are some mitigating factors? Not running npm/yarn install while the malicious package was available. Don't forget to check CI/CD. Pull requests for other package updates could have triggered the malware.