Hackers inject malicious code into another popular npm library

By Scott Marlette Last updated Nov 5, 2021

Coa, a popular library found on npm, a manager for the JavaScript programming language, has been hijacked and used to spread malicious code, reports have claimed.

According to Bleeping Computer, the attack on coa – short for Command-Option-Argument, impacted countless React pipelines around the world. React is a JavaScript library for building user interfaces. Coa gets around 9 million downloads a week on npm, and is used by some 5 million open-source GitHub repositories.

Soon after discovering the hijack, developers also spotted another popular component – rc – also being affected. The rc library is even more popular than coa, getting some 14 million downloads a week.

One of the things that raised suspicions among developers was the fact that the last stable coa version – 2.0.2 – was released in December 2018. Then, all of a sudden, five versions began appearing on npm, all in a matter of hours, “breaking React packages that depend on coa”.

Multiple attacks

“I’m not sure why or what happened but 10 minutes ago there was a release (even though the last change on GitHub was in 2018). Whatever this release did, it broke the internet,” said Roberto Wesley Overdijk, a React developer.

Last month, a popular npm library ua-parser-js, used by many of the world’s largest websites and tech companies, was also hijacked, and with the malicious code embedded in both instances being virtually identical, it led Bleeping Computer to conclude that the malicious actor behind these incidents is probably the same.

The publication’s analysts are saying the malware is likely Danabot, a password-stealing Trojan for Windows. It is capable of stealing passwords from all popular website browsers, FTP clients, and various applications, as well as stored credit cards. It can take screenshots of active screens, and log keystrokes.

The malicious versions have since been removed, but all coa and rc library users are advised to check their projects for malicious software.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.