Two NPM packages with 22 million weekly downloads found in the backdoor



In yet another case of a supply chain attack targeting open source software repositories, two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised by malicious code by obtaining a unauthorized access to the accounts of the respective developers.

The two libraries in question are “coa, “a parser for command line options, and”rc, “a configuration loader, both tampered with by a unidentified threat actor to include “identical” malware that steals passwords.

Automatic GitHub backups

All versions of coa starting with 2.0.3 and above – 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1 and 3.1.3 – are impacted, and users of the affected versions are invited to downgrade to 2.0.2 as soon as possible and check their systems for any suspicious activity, according to a GitHub advisory published November 4. Similarly, rc versions 1.2.9, 1.3.9 and 2.3.9 were found to be riddled with malware, with a independent alert urging users to revert to version 1.2.8.

Complementary analysis of abandonment malware samples show that this is a variant of DanaBot which is Windows malware to steal credentials and passwords, echoing two similar incidents from last month which resulted in the compromise of UAParser.js as well than posting dishonest and typosquatted Roblox NPM libraries.

Prevent data breaches

“To protect your accounts and packages against similar attacks, we strongly recommend that you activate [two-factor authentication] on your NPM account, “NPM noted in a tweet.



About Author

Comments are closed.