How a Hijacked UAParser.js npm Package Infected Hundreds of Thousands of Machines

UAParser.js is a widely used JavaScript library that detects browser, engine, operating system, CPU, and device type/model from user‑agent data, with a small footprint (about 17 KB minified, 6 KB gzipped) and can run in browsers or Node.js.

The package receives roughly 8 million downloads per week and is employed by major tech companies such as Google, Amazon, Facebook, IBM, and Microsoft.

After the developers began receiving hundreds of spam emails, they discovered that their npm account had been hijacked and malicious versions of the package (0.7.29, 0.8.0, 1.0.0) were published. These versions install malware that launches cryptominers on Windows, macOS, and Linux machines and steal cookies and Chrome‑stored passwords.

Based on weekly download numbers and the four‑hour window during which the malicious versions were available, it is estimated that around 188,000 computers were infected in that short period.

Because of npm’s publishing mechanism, the malicious releases cannot be removed. Developers are urged to upgrade UAParser.js to the latest version immediately and to audit their dependency trees, as indirect dependencies may also pull in the compromised package.

Additionally, all npm accounts should enable two‑factor authentication to prevent similar attacks.