Making the headlines
Researchers say both packages were compromised around the same time by hijacking into the developers’ accounts.
An unknown threat actor tampered with Coa and rc npm packages to include identical password-stealing malware.
Coa is a parser for command-line options with approximately 8.8 million weekly downloads and rc is a configuration loader with approximately 14.2 million weekly downloads.
Experts warn that compromised coa versions are 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3, while compromised rc versions are 1.2.9, 1.3.9, 2.3.9.
How the hackers sneak in
The attackers attempt to gain access to the developer’s account to illegally access the npm package and tamper it.
Then a post-installation script is added to the original codebase, which runs an obfuscated TypeScript.
The script checks the OS of the machine and soon proceeds to download a Windows batch or Linux bash script depending on the identified OS.
As per the report, the Windows batch script downloads a DLL file containing a version of the Qakbot Trojan. Bleeping computer experts identify it as Danabot password-stealing Trojan.
Still, there’s a reason to keep calm
Both the libraries are popular and widely used by different teams worldwide. The code tampering is easier to get identified by developers and users for the below top reasons:
Both Coa and rc haven’t received any new releases since December 2018 and December 2015, respectively. If any, the words would have been out across top forums.
Secondly, the malicious code was poorly hidden, as pointed out by experts.
Moreover, any new release would have triggered a security audit for most professional developer teams.
Recent attacks via NPM packages
In the last week of October, security experts also unearthed two malicious NPM packages—noblox.js-proxy and noblox.js-proxies—dropping ransomware and password-stealing malware on users.
A week prior, hackers rigged UAParser.js, a very popular npm package used by tech giants, including Facebook, Apple, Amazon, Microsoft, and Slack, with a password stealer and cryptocurrency miner.
Coincidence? The malware found in the hacked 'coa' versions is virtually identical to the code found in the hijacked UAParser.js versions. Experts suspect the presence of the same threat actor behind the two supply chain attacks.
Security analysts claim no special effort is required to fix the issue since the affected versions have been removed. Users of the coa and rc libraries must check their ongoing projects for malicious software. Also, check for the existence of compile.js or compile.bat or sdd.dll files and delete them.