Two NPM libraries published with malware

On 4 November October 2021, GitHub released security advisories on two NPM libraries having been published with malicious code. We recommend applying the mitigations in the advisories as soon as possible.

Details

• NPM is the default package manager for the JavaScript runtime environment Node.js.
• On 4 November, GitHub community started reporting on suspicious versions of NPM package Command-Option-Argument (COA). COA is a command-line options parser for Node.js projects.
• On the same day, another NPM package, the RC configuration loader, was found to have been compromised with malware.
• Initial reports indicate that threat actors used a banking trojan that has the capability to steal credentials and gained access to NPM package maintainer’s account. As a result, the packages were distributed with malware.
• The following NPM packages are affected:
  • COA 2.0.3 and above.
  • RC 1.2.9, 1.3.9, and 2.3.9.

• According to available advisories, computers with the affected versions of COA parser and RC configuration loader installed should be considered "fully compromised".
• NPM removed the compromised versions and blocked new versions from being published temporarily.

Recommendations

• If you are using any of the vulnerable packages, we recommend implementing the mitigations from the GitHub advisories below.
• Passwords, keys and tokens stored on a computer running the affected packages should be changed.
• Users of COA 2.0.3 and above are recommended to downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity.
• Users of affected RC versions are recommended to downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity.
• The presence of such files as compile.js, compile.bat, and sdd.dll is associated with this threat activity.

References

• GitHub Advisories
• Details on Exploitation