Hackers inject malicious code into another popular npm library

It’s yet another attempt at a supply chain attack

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Coa, a popular library found on npm, a manager for the JavaScript programming language, has been hijacked and used to spread malicious code, reports have claimed.

According toBleeping Computer, the attack on coa - short for Command-Option-Argument, impacted countless React pipelines around the world. React is aJavaScriptlibrary for building user interfaces. Coa gets around 9 million downloads a week on npm, and is used by some 5 million open-source GitHub repositories.

Soon after discovering the hijack,developersalso spotted another popular component - rc - also being affected. The rc library is even more popular than coa, getting some 14 million downloads a week.

One of the things that raised suspicions amongdeveloperswas the fact that the last stable coa version - 2.0.2 - was released in December 2018. Then, all of a sudden, five versions began appearing on npm, all in a matter of hours, “breaking React packages that depend on coa”.

Multiple attacks

“I’m not sure why or what happened but 10 minutes ago there was a release (even though the last change on GitHub was in 2018). Whatever this release did, it broke the internet,” said Roberto Wesley Overdijk, aReact developer.

Last month, a popular npm library ua-parser-js, used by many of the world’s largest websites and tech companies, was also hijacked, and with the malicious code embedded in both instances being virtually identical, it led Bleeping Computer to conclude that the malicious actor behind these incidents is probably the same.

The publication’s analysts are saying the malware is likely Danabot, a password-stealingTrojan for Windows. It is capable ofstealing passwordsfrom all popular website browsers, FTP clients, and various applications, as well as storedcredit cards. It can take screenshots of active screens, and log keystrokes.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The malicious versions have since been removed, but all coa and rc library users are advised to check their projects for malicious software.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well