Urgent Security Alert: Popular NPM Packages ‘coa’ and ‘rc’ Hijacked in Major Supply Chain Attack
A sophisticated supply chain attack has compromised two widely used NPM packages, ‘coa’ and ‘rc’, potentially exposing countless servers and development environments to malware. With a combined total of billions of lifetime downloads, the impact of this breach is widespread, underscoring the critical vulnerabilities present in the modern software supply chain.
The incident involved the hijacking of maintainer accounts, allowing attackers to publish malicious new versions of these seemingly harmless packages. Any project that downloaded or updated to these compromised versions automatically installed a password-stealing trojan.
The Anatomy of the Attack
This security breach is a classic example of a software supply chain attack, where a trusted component is compromised to distribute malware to a vast number of downstream users.
Here’s what happened:
- Legitimate Packages Compromised: The command-line argument parser ‘coa’ and the configuration loader ‘rc’ are foundational tools used as dependencies in thousands of other popular projects, including many well-known development frameworks.
- Malicious Versions Published: Attackers gained unauthorized access and published several new versions of both packages. These versions contained a malicious post-install script.
- Malware Deployed: Upon installation, the script would download and execute a file named
paslo.js, a trojan designed to steal sensitive information. The malware was observed attempting to exfiltrate passwords and other credentials from infected Windows systems.
This attack highlights a dangerous reality: many developers may not even be aware they are using these packages, as they are often included as dependencies of other dependencies (transitive dependencies).
How to Determine if You Are at Risk
You are at risk if your project or development environment has installed one of the compromised versions. It is crucial to immediately check your dependencies for the following malicious package versions:
- coa:
2.0.32.0.42.1.12.1.33.0.13.1.3
- rc:
1.2.91.3.92.3.9
To check if your project uses these packages, even as a sub-dependency, run the following commands in your project’s root directory:
npm ls coa
npm ls rc
This will show you which version of each package is installed and which parent package requires it.
Immediate Actions and Mitigation Steps
If you find any of the compromised versions in your projects, take these steps immediately to secure your environment.
- Isolate the Environment: If possible, disconnect the affected machine from the network to prevent any further data exfiltration by the malware.
- Audit Your Dependencies: Run
npm auditin your project directories. This command is designed to identify known vulnerabilities in your project’s dependency tree and will flag these malicious versions. - Update to a Safe Version: The maintainers of the packages and the NPM security team have removed the malicious versions. Update your packages to the latest secure versions available. Ensure your
package.jsonandpackage-lock.jsonfiles point to safe, non-compromised versions. - Review System Security: Since the malware was a password-stealing trojan, it is essential to assume that credentials stored on the affected machine may have been compromised. Change all critical passwords, API keys, and other secrets that were present on the system.
- Scan for Malware: Run a thorough antivirus and anti-malware scan on the affected system to detect and remove any remnants of the
paslo.jstrojan or other malicious files.
Long-Term Strategies for a Secure Software Supply Chain
This incident is not an isolated event. To protect your projects from future supply chain attacks, developers and organizations should adopt a more robust security posture.
- Implement Strict Version Pinning: Use
package-lock.jsonoryarn.lockto lock your dependencies to specific, vetted versions. This prevents automatic updates to potentially malicious newer versions without your explicit approval. - Automate Security Scanning: Integrate automated security scanning tools like NPM Audit, Snyk, or GitHub’s Dependabot into your CI/CD pipeline. These tools continuously monitor for new vulnerabilities in your dependencies.
- Strengthen Maintainer Account Security: If you are a package maintainer, enable Multi-Factor Authentication (MFA/2FA) on your NPM and GitHub accounts. This is the single most effective step to prevent unauthorized account takeovers.
- Vet Dependencies Before Integration: Before adding a new dependency, perform due diligence. Check its popularity, maintenance history, and whether it has any known security issues. Favor well-maintained packages from trusted sources.
The software supply chain remains a primary target for attackers. Vigilance, proactive security measures, and swift incident response are essential to safeguarding the integrity of our development ecosystems.
Source: https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/
