Popular npm libraries coa and rc. have been hijacked, where the threat actors replaced new versions laced with password-stealing malware.
- The security squad of the npm JavaScript package warns that two npm libraries, coa and rc., have been hijacked.
- The compromised coa versions include 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3.
- The compromised rc versions include 1.2.9, 1.3.9, 2.3.9.
Popular npm libraries coa and rc. have been hijacked, where the threat actors replaced new versions laced with password-stealing malware.
Coa is a command-line argument parser with approximately 9 million weekly downloads, while Rc is a configuration loader with 4 million weekly downloads.
Experts warn that compromised coa versions are 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3, while compromised rc versions are 1.2.9, 1.3.9, 2.3.9.
The attackers gained access to the account of the developer of the package, then added a post-installation script to the original codebase, which runs an obfuscated TypeScript, that would examine for operating system details and download a Windows batch or Linux bash script.
According to a deobfuscated version of the Windows batch script, the compromised packages would download and operate a DLL file that, according to Windows Defender, and others, contained a version of the Qakbot trojan.
“The compromised [developer] account has been temporarily disabled, and we are actively investigating the incident and monitoring for similar activity,” said the npm team on Thursday.
Since then, the npm security team has eliminated all the compromised coa and rc versions to prevent developers from accidentally infecting themselves.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?