Two prominent NPM packages with combined weekly downloads of roughly 22 million were found to be infected with malicious code by gaining illegal access to the respective developer’s accounts in another supply chain hack targeting open-source software repositories.
“This morning we detected multiple versions of the “coa” package published with malicious code due to a compromised account of a maintainer. We quickly removed the compromised versions and have published an advisory: https://github.com/advisories/GHSA-73qr-pfmq-6rp8…. npm itself was not compromised,” GitHub tweeted.
“coa,” a command-line option parser. It aims to get the most out of formalizing the program’s API. “rc,” a configuration loader. It’s also famous as the lazy person’s non-configurable configuration loader.
coa versions 2.0.3 and above — 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, and 3.1.3 — are all affected. According to a GitHub alert released on November 4, users of the vulnerable versions should downgrade to 2.0.2 as soon as feasible and examine their systems for unusual behavior.
In a related manner, malware has been discovered in versions 1.2.9, 1.3.9, and 2.3.9 of rc, with an independent advisory advising users to downgrade to version 1.2.8.
Additional investigation of the malware samples revealed it to be a DanaBot variant. It is a Windows worm that steals credentials and passwords, mirroring two previous occurrences from last month that resulted in the compromising of UAParser.js and the publication of rogue, typosquatted Roblox NPM packages.
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” GitHub researchers wrote.