According to a foreign media bleepingcomputer report, on November 4, the popular npm library "coa" was hijacked, and malicious code was injected into it, and it briefly affected React packages that depend on "coa" around the world.
"Coa" is the abbreviation of Command-Option-Argument. This library is downloaded about 9 million times on npm every week and is used by nearly 5 million open source repositories on GitHub.
'coa' is the command line option parser for Node.js projects. The last stable version of the project, 2.0.2, was released in December 2018. However, several suspicious versions suddenly appeared on npm: 2.0.3, 2.0.4, 2.1.1, 2.1.3, and 3.1.3. It was these malicious versions that destroyed React packages that depend on "coa":
Malicious version of coa on GitHub
React developer Roberto Wesley Overdijk said:
"I don't know why this happened or what happened. But no matter what this version did, it broke the Internet."
Another GitHub user using the ElBidouilleur handle found that version 2.1.3 of "coa" broke their build:
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! coa@2.1.3 preinstall: start /B node compile.js & node compile.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the coa@2.1.3 preinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /home/mboutin/.npm/_logs/2021-11-04T14_01_45_544Z-debug.logIn addition, several developers also joined the discussion, saying that since the new version of "coa" was released, their build has also encountered problems.
At present, although these malicious versions have been deleted by NPM. Archived copies can still be retrieved from Sonatype's automatic malware detection system.
malware also hijacked "ua-parser-js" and the fake noblox package
The same incident occurred last month when another popular npm library "ua-parser-js" used by Facebook, Microsoft, Amazon, Reddit and other large technology companies was hijacked.
According to BleepingComputer's analysis, the malware contained in the hijacked "COA" version is actually the same as the code in the hijacked UA-PARSER-JS version, which may establish a link between the threat actors behind the two incidents.
The malware may be a Danabot password-stealing Trojan that steals Windows. When loaded through Regsvr32.exe, it will finally use rundll32.exe to start various parameters again to perform different malicious actions.
When loaded, Danabot will perform various malicious activities, including:
- Steal passwords from various web browsers, including Chrome, Firefox, Opera, Internet Explorer and Safari
- Steal passwords of various applications, including VNC, online casino applications, FTP clients and mail accounts
- Steal stored credit cards
- Take a screenshot of the active screen
- Log keystrokes
- Send all this stolen data back to the threat actors to allow them to violate the victim’s other accounts
What should users of the "coa" library do?
Due to the widespread impact of this type of supply chain attack, it is strongly recommended that "coa" library users check their projects for malware, including checking the existence of compile.js, compile.bat, and sdd.dll files.
If it is confirmed that it has been infected, please change the password, key and token on the device, and at the same time fix the npm version of coa to the stable version "2.0.2".
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。