Skip to content

Latest commit

 

History

History
30 lines (22 loc) · 1.41 KB

File metadata and controls

30 lines (22 loc) · 1.41 KB

Compromise of NPM packages coa and rc

In early November 2021, the developer accounts of popular NPM packages coa (over 8 million weekly downloads) and rc (over 14 million weekly downloads) were hijacked, allowing attackers to publish malicious versions that downloaded and installed a version of the Qakbot trojan.

This attack is similar to the ua-parser-js attack.

Impact

The coa breach was spotted after build pipelines began crashing, prompting an investigation from NPM. The rc breach was discovered later the same day. Due to the extent of use of both libraries and the fact that the malicious code caused pipelines to fail in some environments, the breaches were spotted quite early (the GitHub thread for coa indicates it was opened 10 minutes after the release). A more sophisticated, "silent" attack along the same vector could have resulted in far more damage.

Type of Compromise

These attacks was carried out by someone posing as the respective maintainers, and therefore can be classified as "Malicious Maintainer".

References