Coa, a popular library from npm, a manager for the JavaScript programming language, has been hijacked by hackers who published new versions equipped with password-stealing malware.
The 'coa' library, short for Command-Option-Argument, gets around 9 million downloads a week on npm, and is used by almost 5 million open-source GitHub repositories. The assault on coa will severely impact countless React pipelines around the globe, Bleeping Computer reported.
Soon after spotting the hijack, security researchers also uncovered another popular npm component- 'rc'- also being impacted. The 'rc' library nets 14 million downloads a week on average.
According to the security team of the npm, both packages were compromised simultaneously and were the result of threat actors securing access to a package developer’s account.
Once inside, the hacker adds a post-installation script to the original codebase, which runs an obfuscated TypeScript used for downloading a Windows batch or Linux bash script depending on the OS of the machine running the software. The compromised coa versions are 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3, while compromised rc versions are 1.2.9, 1.3.9, 2.3.9
The last stable coa version 2.0.2 was released in December 2018, but developers around the world were left surprised when several suspicious versions 2.0.3, 2.0.4, 2.1.1, 2.1.3, and 3.1.3 began appearing on npm as of a few hours ago, breaking React packages that depend on 'coa'.
The security team of the NPM has reportedly disabled the compromised versions of coa. “Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” the maintainers stated.