The attackers managed to gain control of the coa NPM package and released updates 2.0.3, 2.0.4, 2.1.1, 2.1.3 and 3.1.3, which included malicious changes. The coa package, which provides functions for parsing command line arguments, has about 9 million downloads per week and is used as a dependency on 159 other NPM packages, including react-scripts and vue/cli-service. The NPM administration has already removed the release with malicious changes and blocked the publication of new versions until access to the main developer's repository is restored.
The attack was carried out through hacking the account of the project developer. The added malicious changes are similar to those used in the attack on users of the UAParser.js NPM package two weeks ago, but were limited to the attack only on the Windows platform (empty stubs were left in the download blocks for Linux and macOS). An executable file was downloaded and launched onto the userβs system from an external host to mine the Monero cryptocurrency (the XMRig miner was used) and a library for intercepting passwords was installed.
An error was made when creating a package with malicious code that caused the installation of the package to fail, so the problem was quickly identified and the distribution of the malicious update was blocked at an early stage. Users should make sure that they have version coa 2.0.2 installed and it is advisable to add a link to the working version in the package.json of their projects in case of re-compromise. npm and yarn: "resolutions": { "coa": "2.0.2" }, pnpm: "pnpm": { "overrides": { "coa": "2.0.2" } },
Source: opennet.ru