Just last week we saw the popular npm package `ua-parser-js` get hijacked. Malicious actors gained access to the project maintainer’s npm account and published malicious versions that attempted to install a cryptominer on the compromised system and download a malicious DLL in charge of stealing credentials.
Coa is a command line option parser with over 9 Million weekly downloads which hasn’t been legitimately updated in 3 years. `Rc` is used to easily load configuration options with an astounding 14 million weekly downloads and just like Coa, it hasn’t seen a new release in 3 years. Coincidence? Or, clue as to how attackers are choosing their targets?
It all happened pretty quickly, but as soon as Sonatype became aware of the malicious versions of `coa` and `rc` appearing on npm, we expedited Deep Dive research on them.
What’s Inside the Malicious `coa` and `rc` Versions?
The malicious versions leverage built-in certutil binaries, also known as ‘LOLBins,’ to download a password stealing trojan, possibly Danabot once again. No crypto miner this time, but the same techniques are present, which indicate it is likely the same threat actors.
A lot of users quickly noticed this and began commenting on the project’s GitHub Issues page. This was actually really helpful, the user that created the issue even shared the diff of the malicious version vs. the older legitimate one. This gave us an idea where to start looking.
A new preinstall script had been included (Read more…)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Juan Aguirre. Read the original post at: https://blog.sonatype.com/npm-hijackers-at-it-again-popular-coa-and-rc-open-source-libraries-taken-over-to-spread-malware