Two NPM packages with 22 million weekly downloads found in the backdoor

In yet another case of a supply chain attack targeting open source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised by malicious code by obtaining a unauthorized access to the accounts of the respective developers.

The two libraries in question are “coa”, a command line option analyzer, and “rc”, a configuration loader, both of which have been tampered with by an unidentified malicious actor to include “identical” malware from password theft.

GitHub automatic backups

All versions of coa starting with 2.0.3 and above – 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1 and 3.1.3 – are impacted, and users of the affected versions are invited to downgrade to 2.0.2 as soon as possible and check their systems for any suspicious activity, according to a GitHub notice posted on November 4. Likewise, rc versions 1.2.9, 1.3.9, and 2.3.9 were found to be linked with malware, with an independent alert urging users to downgrade to version 1.2.8.

Further analysis of abandoned malware samples shows it to be a variant of DanaBot which is Windows malware to steal credentials and passwords, echoing two similar incidents from the past month which resulted in the compromise of UAParser.js as well as the publication of malicious, typosquatted files. Roblox NPM Libraries.

Prevent data breaches

“To protect your accounts and packages against similar attacks, we strongly recommend that you enable [two-factor authentication] on your NPM account, “NPM noted in a tweet.

Sam D. Gomez