On Thursday, November 4, 2021, barely more than a week after ua-parser-js was hijacked, another popular NPM library called
coa (Command-Option-Argument), which is used in React packages around the world, was hijacked to distribute credential-stealing malware. The developer community noticed something was amiss when strange new versions of
coa appeared on npm, breaking software builds.
Another popular NPM component,
rc, was also evidently hijacked to run malicious code in Windows environments. According to NPM, the malware identified in the
rc hijack was identical to the malware distributed in the
rc are used by millions of developers and projects. As of Friday, November 5, several developers and users had called for NPM to implement stricter security measures, including MFA on developer accounts.
“Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.
"Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”
Mitigation instructions for
rc are identical to above. The affected versions of
rc are 1.2.9, 1.3.9, and 2.3.9. Those users should downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity, taking care to rotate secrets.
All users of
rc should look for compile.js, compile.bat, sdd.dll files and delete or investigate those files. Version pinning may help mitigate risk against future attacks of this nature. BleepingComputer has more information on the attack and the malware’s behavior here.