Remote-Url: https://github.com/advisories/GHSA-pjwm-rvh2-c87w
Retrieved-at: 2021-10-23 16:00:26.614500+00:00

Skip to content
 
GHSA-pjwm-rvh2-c87w
Sign up

  * Why GitHub?
    Features ?
      + Mobile ?
      + Actions ?
      + Codespaces ?
      + Packages ?
      + Security ?
      + Code review ?
      + Issues ?
      + Integrations ?
      + GitHub Sponsors ?
      + Customer stories?
  * Team
  * Enterprise
  * Explore
      + Explore GitHub ?

    Learn and contribute

      + Topics ?
      + Collections ?
      + Trending ?
      + Learning Lab ?
      + Open source guides ?

    Connect with others

      + The ReadME Project ?
      + Events ?
      + Community forum ?
      + GitHub Education ?
      + GitHub Stars program ?
  * Marketplace
  * Pricing
    Plans ?
      + Compare plans ?
      + Contact Sales ?
      + Education ?

[                    ] 

  *  
    #
    Search All GitHub ?
    Jump to ?

  * No suggested jump to results

  *  
    #
    Search All GitHub ?
    Jump to ?
  *  
    #
    Search All GitHub ?
    Jump to ?
  *  
    #
    Search All GitHub ?
    Jump to ?

Sign in
Sign up
{{ message }}

 1. GitHub Advisory Database
 2. GHSA-pjwm-rvh2-c87w

Embedded malware in ua-parser-js

critical severity Published Oct 22, 2021 ? Updated Oct 22, 2021
Vulnerability details Dependabot alerts 0

Package

ua-parser-js (npm)

Affected versions

= 0.7.29
= 0.8.0
= 1.0.0

Patched versions

0.7.30
0.8.1
1.0.1

Description

The npm package ua-parser-js had three versions published with malicious code.
Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as
possible and check their systems for suspicious activity. See this issue for
details as they unfold.

Any computer that has this package installed or running should be considered
fully compromised. All secrets and keys stored on that computer should be
rotated immediately from a different computer. The package should be removed,
but as full control of the computer may have been given to an outside entity,
there is no guarantee that removing the package will remove all malicious
software resulting from installing it.

References

  * faisalman/ua-parser-js#536
  * https://www.npmjs.com/package/ua-parser-js
  * faisalman/ua-parser-js#536 (comment)

GHSA ID

GHSA-pjwm-rvh2-c87w

CWEs

CWE-506

  * ? 2021 GitHub, Inc.
  * Terms
  * Privacy
  * Security
  * Status
  * Docs

 

  * Contact GitHub
  * Pricing
  * API
  * Training
  * Blog
  * About

You can?t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You
signed out in another tab or window. Reload to refresh your session.