On 4 November October 2021, GitHub released security advisories on two NPM libraries having been published with malicious code. We recommend applying the mitigations in the advisories as soon as possible.
On 4 November, GitHub community started reporting on suspicious versions of NPM package Command-Option-Argument (COA). COA is a command-line options parser for Node.js projects.
On the same day, another NPM package, the RC configuration loader, was found to have been compromised with malware.
Initial reports indicate that threat actors used a banking trojan that has the capability to steal credentials and gained access to NPM package maintainer’s account. As a result, the packages were distributed with malware.
The following NPM packages are affected:
COA 2.0.3 and above.
RC 1.2.9, 1.3.9, and 2.3.9.
According to available advisories, computers with the affected versions of COA parser and RC configuration loader installed should be considered "fully compromised".
NPM removed the compromised versions and blocked new versions from being published temporarily.
If you are using any of the vulnerable packages, we recommend implementing the mitigations from the GitHub advisories below.
Passwords, keys and tokens stored on a computer running the affected packages should be changed.
Users of COA 2.0.3 and above are recommended to downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity.
Users of affected RC versions are recommended to downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity.
The presence of such files as compile.js, compile.bat, and sdd.dll is associated with this threat activity.