Skip Navigation

November 6, 2021 |

Two NPM libraries published with malware

Loading table of contents...

On 4 November October 2021, GitHub released security advisories on two NPM libraries having been published with malicious code. We recommend applying the mitigations in the advisories as soon as possible.


  • NPM is the default package manager for the JavaScript runtime environment Node.js.
  • On 4 November, GitHub community started reporting on suspicious versions of NPM package Command-Option-Argument (COA). COA is a command-line options parser for Node.js projects.
  • On the same day, another NPM package, the RC configuration loader, was found to have been compromised with malware.
  • Initial reports indicate that threat actors used a banking trojan that has the capability to steal credentials and gained access to NPM package maintainer’s account. As a result, the packages were distributed with malware.
  • The following NPM packages are affected:
    • COA 2.0.3 and above.
    • RC 1.2.9, 1.3.9, and 2.3.9.
  • According to available advisories, computers with the affected versions of COA parser and RC configuration loader installed should be considered "fully compromised".
  • NPM removed the compromised versions and blocked new versions from being published temporarily.


  • If you are using any of the vulnerable packages, we recommend implementing the mitigations from the GitHub advisories below.
  • Passwords, keys and tokens stored on a computer running the affected packages should be changed.
  • Users of COA 2.0.3 and above are recommended to downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity.
  • Users of affected RC versions are recommended to downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity.
  • The presence of such files as compile.js, compile.bat, and sdd.dll is associated with this threat activity.