The malicious versions contained password stealing software.
Unknown attackers compromised the accounts of the developers of two popular NPM packages, coa and rc, and downloaded malicious versions containing password-stealing malware.
The coa package provides functions for parsing command line arguments and has an estimated 8.8M downloads per week. Compromised versions of the package include: 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, and 3.1.3.
The rc package is for downloading and parsing configuration files and has over 14 million weekly downloads. The following versions are malicious: 1.2.9, 1.3.9, and 2.3.9.
Both packages were compromised at about the same time. After gaining access to the developer's account, the attackers added a post-installation script to the original codebase that launches obfuscated TypeScript. This script collected information about the operating system and, depending on the installed OS, launched a batch file (Windows) or bash script (Linux).
Examining the deobfuscated Windows version of the batch file revealed that the compromised packages download and run the DLL containing the Qakbot banking trojan.
All compromised versions of the coa and rc packages have already been removed from the NPM repository.
This is the fourth known case of a popular NPM package being compromised in the past few weeks. In mid-October, experts discovered software for mining cryptocurrency in the JavaScript libraries okhsa, klow and klown, literally a few days later it became known about malicious versions of the popular NPM library UAParser.js containing a cryptominer and software for and stealing passwords. Following this, malicious NPM packages were identified that distributed ransomware and information stealers under the guise of Roblox libraries.
Unknown attackers compromised the accounts of the developers of two popular NPM packages, coa and rc, and downloaded malicious versions containing password-stealing malware.
The coa package provides functions for parsing command line arguments and has an estimated 8.8M downloads per week. Compromised versions of the package include: 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, and 3.1.3.
The rc package is for downloading and parsing configuration files and has over 14 million weekly downloads. The following versions are malicious: 1.2.9, 1.3.9, and 2.3.9.
Both packages were compromised at about the same time. After gaining access to the developer's account, the attackers added a post-installation script to the original codebase that launches obfuscated TypeScript. This script collected information about the operating system and, depending on the installed OS, launched a batch file (Windows) or bash script (Linux).
Examining the deobfuscated Windows version of the batch file revealed that the compromised packages download and run the DLL containing the Qakbot banking trojan.
All compromised versions of the coa and rc packages have already been removed from the NPM repository.
This is the fourth known case of a popular NPM package being compromised in the past few weeks. In mid-October, experts discovered software for mining cryptocurrency in the JavaScript libraries okhsa, klow and klown, literally a few days later it became known about malicious versions of the popular NPM library UAParser.js containing a cryptominer and software for and stealing passwords. Following this, malicious NPM packages were identified that distributed ransomware and information stealers under the guise of Roblox libraries.
