Loading table of contents...
On 4 November October 2021, GitHub released security advisories on two NPM libraries having been published with malicious code. We recommend applying the mitigations in the advisories as soon as possible.
Details
- NPM is the default package manager for the JavaScript runtime environment Node.js.
- On 4 November, GitHub community started reporting on suspicious versions of NPM package Command-Option-Argument (COA). COA is a command-line options parser for Node.js projects.
- On the same day, another NPM package, the RC configuration loader, was found to have been compromised with malware.
- Initial reports indicate that threat actors used a banking trojan that has the capability to steal credentials and gained access to NPM package maintainer’s account. As a result, the packages were distributed with malware.
- The following NPM packages are affected:
- COA 2.0.3 and above.
- RC 1.2.9, 1.3.9, and 2.3.9.
- According to available advisories, computers with the affected versions of COA parser and RC configuration loader installed should be considered "fully compromised".
- NPM removed the compromised versions and blocked new versions from being published temporarily.
Recommendations
- If you are using any of the vulnerable packages, we recommend implementing the mitigations from the GitHub advisories below.
- Passwords, keys and tokens stored on a computer running the affected packages should be changed.
- Users of COA 2.0.3 and above are recommended to downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity.
- Users of affected RC versions are recommended to downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity.
- The presence of such files as compile.js, compile.bat, and sdd.dll is associated with this threat activity.
References
