User credentials at risk due to a hijack of the NPM library ‘coa.’

React pipelines all around the world have been temporarily disrupted as npm library ‘coa’ was infected with malicious code. Shortly after the compromise was detected, another well-known npm component, “rc”, was discovered to have been hijacked as well.

Noa Rpm 1024x496
The NPM library coa. has been hijacked

Coa NBM releases infected with malicious code

Npm library “coa” – a project that hasn’t been updated in years – appeared on npm with new releases, surprising developers across the globe.

In December 2018, the project published its final stable version, 2.0.2. However, a number of suspicious versions 2.0.3, 2.0.4, 2.1.1, 2.1.3, and 3.1.3 appeared on npm in the last several hours, breaking React packages that rely on ‘coa’.

Based on the evidence that researchers have gathered so far, the Danabot password-stealing Trojan for Windows is the most probable malware injected into these suspicious releases. If Danabot is activated, it most likely will engage in a variety of nefarious activities, such as:

  • Passwords theft from a wide range of web browsers, including the most popular ones like Chrome, Firefox, Internet Explorer, Opera, Safari, etc.
  • Passwords theft from VNC, online casino apps, FTP clients, mail accounts and other applications.
  • Theft of credit cards from a wallet.
  • Screenshot capture of the active screen.
  • Keystrokes recording

Threat actors use this malware to collect all the stolen information and use it to break into the other accounts of their victims.

In relation to the incident with the malware-injected “coa” releases, NPM has deleted the compromised versions and prohibited new versions from being published temporarily while restoring access to the package.

Pinning the npm version to stable release “2.0.2” is one of the suggestions made in the initial GitHub disucssion. The safest version of ‘rc’ to use is “1.2.8“. The ongoing investigation has revealed that different versions of the “rc” package had the same malware as the “coa” package. Nmp has removed any malicious “rc” versions from the registry and has issued an alert in the wake of this incident.

All users of the “coa” and “rc” libraries are urged to examine their projects for malicious software as a result of this supply-chain attack. In addition, if compile.js or compile.bat or sdd.dll files are detected, they should be deleted.

It’s also a good idea for those who have been affected to update their passwords, keys, and refresh tokens since they’re likely to have been provided to the attacker. Npm also recommends that all maintainers of npm utilize two-factor authentication in order to avoid future attacks of this kind.

As per the available statistics, 9 million downloads on npm and approximately 5 million open-source repositories on GitHub utilize the “coa” (Command-Option-Argument) library per week. An average of 14 million files are downloaded each week from the “rc” library.

About the author


Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment