With over 1.8 billion websites online today, about 98% of them are powered by JavaScript. The flexibility and portability the language offers to rich online functionality have today become a significant vector for cyberattacks.

Then what is npm’s role? It is simply a package manager for the JavaScript programming language maintained by npm and a default package manager for Node.js. Recently, two popular npm libraries were caught up in a whirlwind of attacks.

Making the headlines

Researchers say both packages were compromised around the same time by hijacking into the developers’ accounts.
  • An unknown threat actor tampered with Coa and rc npm packages to include identical password-stealing malware.
  • Coa is a parser for command-line options with approximately 8.8 million weekly downloads and rc is a configuration loader with approximately 14.2 million weekly downloads.
  • Experts warn that compromised coa versions are 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3, while compromised rc versions are 1.2.9, 1.3.9, 2.3.9.

How the hackers sneak in

  • The attackers attempt to gain access to the developer’s account to illegally access the npm package and tamper it.
  • Then a post-installation script is added to the original codebase, which runs an obfuscated TypeScript. 
  • The script checks the OS of the machine and soon proceeds to download a Windows batch or Linux bash script depending on the identified OS.
  • As per the report, the Windows batch script downloads a DLL file containing a version of the Qakbot Trojan. Bleeping computer experts identify it as Danabot password-stealing Trojan.

Still, there’s a reason to keep calm

Both the libraries are popular and widely used by different teams worldwide. The code tampering is easier to get identified by developers and users for the below top reasons:
  • Both Coa and rc haven’t received any new releases since December 2018 and December 2015, respectively. If any, the words would have been out across top forums.
  • Secondly, the malicious code was poorly hidden, as pointed out by experts.

Moreover, any new release would have triggered a security audit for most professional developer teams.

Recent attacks via NPM packages

  • In the last week of October, security experts also unearthed two malicious NPM packages—noblox.js-proxy and noblox.js-proxies—dropping ransomware and password-stealing malware on users.
  • In the same week, researchers stumbled across crypto-mining malware hidden inside three JavaScript libraries, including klow, klown, and okhsa uploaded on the official npm package repository.
  • A week prior, hackers rigged UAParser.js, a very popular npm package used by tech giants, including Facebook, Apple, Amazon, Microsoft, and Slack, with a password stealer and cryptocurrency miner.

Coincidence? The malware found in the hacked 'coa' versions is virtually identical to the code found in the hijacked UAParser.js versions. Experts suspect the presence of the same threat actor behind the two supply chain attacks.

Be safe

Security analysts claim no special effort is required to fix the issue since the affected versions have been removed. Users of the coa and rc libraries must check their ongoing projects for malicious software. Also, check for the existence of compile.js or compile.bat or sdd.dll files and delete them.

Cyware Publisher