COA and RC npm Packages Hijacked
Coa and Rc Were Compromised with DanaBot, a Windows Malware for Stealing Credentials and Passwords.
In a different supply chain attack on open-source software repositories, two widely deployed npm packages with nearly 22 million downloads per week were discovered to be infected with malicious code after unauthorized access to the respective developer’s accounts was obtained.
coa and rc npm Packages Hijacked
The first one is the popular npm library called coa (Command-Option-Argument), a parser for command-line options which was hijacked last week with malicious code injected into it, briefly affecting React pipelines all over the world.
The ‘coa’ library has over 8.700,000 million weekly downloads on npm and is used by nearly 5 million open source repositories on GitHub.
The second component is called rc, a “non-configurable configuration loader for lazy people” which was hijacked to run malicious code in Windows environments a few hours after the coa hijacking discovery. On average, the ‘rc’ library receives 14 million downloads every week.
Last Thursday, developers everywhere were shocked to see new releases for npm library ‘coa’—a project that hasn’t been touched for years, appear on npm out of the blue.
coa is a command-line options parser for Node.js projects. According to BleepingComputer, the last stable variant 2.0.2 for the project was published three years ago.
All versions of coa starting with 2.0.3 and above (2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, and 3.1.3) have been impacted.
A React developer stated:
I’m not sure why or what happened but 10 minutes ago there was a release (even though the last change on GitHub was in 2018). Whatever this release did, it broke the internet.
And he was not the only one. Since the latest ‘coa’ releases hit npm, several other developers have reported having problems with their builds.
Shortly after, versions 1.2.9, 1.3.9, and 2.3.9 of rc library have been found contaminated with malware.
A Familiar Malware
In October, the UA-Parser-JS NPM library was hijacked and used to install password-stealers and crypto miners on unsuspecting users’ terminals. The library is used in over a thousand additional projects like the ones of Facebook, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and others.
According to BleepingComputer, the trojan in the impacted ‘coa’ variants is remarkably similar to the code discovered in the hijacked ua-parser-js versions, implying that the cybercriminals behind these attacks are connected.
According to further investigation of the malware samples, it seems to be a DanaBot version which is a Windows virus that steals credentials and passwords.
Danabot malware is an advanced malicious program used as a banking trojan, and when deployed, will execute malicious activities such as stealing passwords from web browsers and applications, stored credit cards, taking screenshots of the active screens, and logging keystrokes.
Recommendations for coa and rc Users
First of all, users of the “coa” and “rc” libraries are strongly encouraged to verify their projects for malicious code and delete them if needed. This includes checking for the existence of either compile.js, compile.bat, sdd.dll files.
According to BleepingComputer, since this “sdd.dll” version has also been identified as a trojan on VirusTotal, and the one dropped by “ua-parser-js” was a credential stealer, impacted users should perceive their device damaged and change their passwords, keys, and refresh tokens, as they were probably compromised and sent to the attacker.
NPM has removed the compromised versions and, if I understand correctly, blocked new versions from being published temporarily while recovering access to the package.
No fix should be needed as the affected versions have been removed. But I’m leaving what I wrote initially just in case something does go wrong again. For now I’d advise you to pin the version as described below until this has been resolved conclusively.
Users of the compromised versions of coa (2.0.3 and higher) are recommended to immediately downgrade to 2.0.2 and monitor their computers for unusual behavior.
Users of the compromised versions of rc should also downgrade to 1.2.8 as soon as possible.
following ongoing investigations, we identified in real time multiple versions of the “rc” package containing identical malware to the “coa” package. malicious versions of “rc” were immediately removed from the registry and we have published an advisory: https://t.co/9MoSyhAt3S
— npm (@npmjs) November 4, 2021