On Thursday, November 4, 2021, barely more than a week after ua-parser-js was hijacked, another popular NPM library called coa (Command-Option-Argument), which is used in React packages around the world, was hijacked to distribute credential-stealing malware. The developer community noticed something was amiss when strange new versions of coa appeared on npm, breaking software builds.

Another popular NPM component, rc, was also evidently hijacked to run malicious code in Windows environments. According to NPM, the malware identified in the rc hijack was identical to the malware distributed in the coa hijack.

Both coa and rc are used by millions of developers and projects. As of Friday, November 5, several developers and users had called for NPM to implement stricter security measures, including MFA on developer accounts.

Mitigation Guidance

NPM has reportedly removed compromised versions of coa. The maintainers said on Thursday:

“Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.

"Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

Mitigation instructions for rc are identical to above. The affected versions of rc are 1.2.9, 1.3.9, and 2.3.9. Those users should downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity, taking care to rotate secrets.

All users of coa and rc should look for compile.js, compile.bat, sdd.dll files and delete or investigate those files. Version pinning may help mitigate risk against future attacks of this nature. BleepingComputer has more information on the attack and the malware’s behavior here.