Analyzing the Deadly Rise in NPM Package Hijacking

Making the headlines

• An unknown threat actor tampered with Coa and rc npm packages to include identical password-stealing malware.
• Coa is a parser for command-line options with approximately 8.8 million weekly downloads and rc is a configuration loader with approximately 14.2 million weekly downloads.
• Experts warn that compromised coa versions are 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3, while compromised rc versions are 1.2.9, 1.3.9, 2.3.9.

How the hackers sneak in

• The attackers attempt to gain access to the developer’s account to illegally access the npm package and tamper it.
• Then a post-installation script is added to the original codebase, which runs an obfuscated TypeScript. 
• The script checks the OS of the machine and soon proceeds to download a Windows batch or Linux bash script depending on the identified OS.
• As per the report, the Windows batch script downloads a DLL file containing a version of the Qakbot Trojan. Bleeping computer experts identify it as Danabot password-stealing Trojan.

Still, there’s a reason to keep calm

• Both Coa and rc haven’t received any new releases since December 2018 and December 2015, respectively. If any, the words would have been out across top forums.
• Secondly, the malicious code was poorly hidden, as pointed out by experts.

Recent attacks via NPM packages

• In the last week of October, security experts also unearthed two malicious NPM packages—noblox.js-proxy and noblox.js-proxies—dropping ransomware and password-stealing malware on users.
• In the same week, researchers stumbled across crypto-mining malware hidden inside three JavaScript libraries, including klow, klown, and okhsa uploaded on the official npm package repository.
• A week prior, hackers rigged UAParser.js, a very popular npm package used by tech giants, including Facebook, Apple, Amazon, Microsoft, and Slack, with a password stealer and cryptocurrency miner.

Be safe