The security team at npm, the JavaScript package manager, has discovered that two of its most popular packages were hijacked by attackers who warned users that they had released new versions laced with what appeared to be password-stealing malware.
After a developer’s account was compromised, multiple versions of the “coa” package were detected that exposed malicious code.
We immediately removed the compromised versions and published an advisory.
https://github.com/ advisories/GHSA-73qr-pfmq-6rp8
Npm itself has not been compromised.
Affected packages are coa and rc
- Coa is a command line argument parser and is downloaded 8.8 million times per week.
- Rc is a configuration loader and is downloaded about 14.2 million times each week.
- Malware-infested versions of coa 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3
- Malware-infested versions of rc 1.2.9, 1.3.9, 2.3.9.
These two packages were compromised at the same time, with the attacker gaining access to the accounts of the package developers.
This script will run obfuscated TypeScript, check your operating system details, and download a Windows batch script or Linux bash script.
Analysis of an obfuscated Windows batch script shows that the compromised package downloads and executes a DLL file containing a version of the Qakbot Trojan.
coa script
Malware in coa was first discovered when builds of React-based applications started crashing.
The npm team has stated that after a spate of reports of build failures, and immediately after detecting malware in coa, the compromised [developer] account was temporarily disabled and is being monitored for similar activity.
A few hours later, the rc package was found to be compromised.
After investigation, multiple versions of the “rc” package containing malware identical to the “coa” package were identified in real time.
Since then, npm’s security team has removed all compromised versions of coa and rc to prevent users from being accidentally infected.
But both libraries are extremely widely used, malicious code is well hidden, and neither library has had a new release since December 2018 and December 2015, respectively.
As pointed out on GitHub, the malicious code involved in this case is almost identical to the one used to introduce malware into the UAParser library in late October.
Comments