NPM Hijackers at it Again: Popular ‘coa’ and ‘rc’ Open Source Libraries Taken Over to Spread Malware

Just last week we saw the popular npm package `ua-parser-js` get hijacked. Malicious actors gained access to the project maintainer’s npm account and published malicious versions that attempted to install a cryptominer on the compromised system and download a malicious DLL in charge of stealing credentials. 

Well, it happened again. This time the `coa` and `rc` packages were hijacked, via an npm account takeover. The hijacked versions of these packages are tracked under sonatype-2021-1696. 

Coa is a command line option parser with over 9 Million weekly downloads which hasn’t been legitimately updated in 3 years. `Rc` is used to easily load configuration options with an astounding 14 million weekly downloads and just like Coa, it hasn’t seen a new release in 3 years. Coincidence? Or, clue as to how attackers are choosing their targets?

Much like `ua-parser-js`, these packages are also used by tech industry giants, such as Microsoft and Meta (Facebook), according to grep.app results:

Sponsorships Available

Sponsorships Available

Sponsorships Available

It all happened pretty quickly, but as soon as Sonatype became aware of the malicious versions of `coa` and `rc` appearing on npm, we expedited Deep Dive research on them.

What’s Inside the Malicious `coa` and `rc` Versions?

The malicious versions leverage built-in certutil binaries, also known as ‘LOLBins,’ to download a password stealing trojan, possibly Danabot once again. No crypto miner this time, but the same techniques are present, which indicate it is likely the same threat actors. 

A lot of users quickly noticed this and began commenting on the project’s GitHub Issues page. This was actually really helpful, the user that created the issue even shared the diff of the malicious version vs. the older legitimate one. This gave us an idea where to start looking. 

A new preinstall script had been included (Read more...)