[TheRecord] Malware found in coa and rc, two npm packages with 23M weekly downloads

The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.

Affected packages include coa and rc.Coa is a command-line argument parser with ~8.8 million weekly downloads.Rc is a configuration loader with ~14.2 million weekly downloads.Compromised coa versions: 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3Compromised rc versions: 1.2.9, 1.3.9, 2.3.9.

Both packages were compromised around the same time and were the result of attackers gaining access to a package developer’s account.

Once inside, the threat actor added a post-installation script to the original codebase, which it run an obfuscated TypeScript, that would check for operating system details and download a Windows batch or Linux bash script.

According to a deobfuscated version of the Windows batch script, the compromised packages would download and run a DLL file that, according to Windows Defender, and others, contained a version of the Qakbot trojan.

Initially, the coa compromise was spotted first after its new installation routine started crashing build pipelines for React-based applications.

“The compromised [developer] account has been temporarily disabled and we are actively investigating the incident and monitoring for similar activity,” the npm team said on Thursday, shortly after detecting the coa compromise following a wave of reports about failed builds.

the compromised account has been temporarily disabled and we are actively investigating the incident and monitoring for similar activity. we will share additional information as appropriate based on our investigation. [2/3]

— npm (@npmjs) November 4, 2021

The compromise of the rc package was discovered hours later.

Since then, the npm security team has removed all the compromised coa and rc versions to prevent developers from accidentally infecting themselves.

However, both compromises had no chance of slipping through. Both libraries are extremely widely used, the malicious code was poorly hidden, and both libraries hadn’t seen new releases since December 2018 and December 2015, respectively, meaning that any new release would have triggered a security audit for most professional developer teams.

As it was pointed out on GitHub yesterday, the malicious code involved in these incidents is almost identical to the one used in the compromise of the UAParser library in late October.

The post Malware found in coa and rc, two npm packages with 23M weekly downloads appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Targeted AnyDesk Ads on Google Served Up Weaponized App

All posts, ThreatPost

Malicious ad campaign was able to rank higher in searches than legitimate AnyDesk ads. Source: Read More (Threatpost)

Read More

[SecurityWeek] IoT/OT Device Security Firm NanoLock Raises $11 Million

All posts, Security Week

NanoLock Security, an Israel-based company that specializes in IoT and operational technology (OT) device protection and management, this week announced raising $11 million in a Series B funding round. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] Customize your Windows 10 experience with these free apps

For Windows, we’ve got an almost limitless number of tools and open-source programs to customize the appearance of the desktop. In this article, we’re going to share a list of open-source and free tools to customize the desktop, taskbar, and more […] Source: Read More (BleepingComputer)

Read More