Initially, the coa compromise was spotted first after its new installation routine started crashing build pipelines for React-based applications. Once inside, the threat actor added a post-installation script to the original codebase, which it run a n obfuscated TypeScript, that would check for operating system details and download a Windows batch or Linux bash script.Īccording to a deobfuscated version of the Windows batch script, the compromised packages would download and run a DLL file that, according to Windows Defender, and others, contained a version of the Qakbot trojan. Compromised rc versions: 1.2.9, 1.3.9, 2.3.9.īoth packages were compromised around the same time and were the result of attackers gaining access to a package developer's account.Rc is a configuration loader with ~14.2 million weekly downloads.Coa is a command-line argument parser with ~8.8 million weekly downloads.The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware. Malware found in coa and rc, two npm packages with 23M weekly downloads
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |