Malware found in coa and rc, two npm packages with 23M weekly downloads

The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.

  • Affected packages include coa and rc.
  • Coa is a command-line argument parser with ~8.8 million weekly downloads.
  • Rc is a configuration loader with ~14.2 million weekly downloads.
  • Compromised coa versions: 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3
  • Compromised rc versions: 1.2.9, 1.3.9, 2.3.9.

Both packages were compromised around the same time and were the result of attackers gaining access to a package developer's account.

Once inside, the threat actor added a post-installation script to the original codebase, which it run an obfuscated TypeScript, that would check for operating system details and download a Windows batch or Linux bash script.

According to a deobfuscated version of the Windows batch script, the compromised packages would download and run a DLL file that, according to Windows Defender, and others, contained a version of the Qakbot trojan.


Initially, the coa compromise was spotted first after its new installation routine started crashing build pipelines for React-based applications.

"The compromised [developer] account has been temporarily disabled and we are actively investigating the incident and monitoring for similar activity," the npm team said on Thursday, shortly after detecting the coa compromise following a wave of reports about failed builds.

The compromise of the rc package was discovered hours later.

Since then, the npm security team has removed all the compromised coa and rc versions to prevent developers from accidentally infecting themselves.

However, both compromises had no chance of slipping through. Both libraries are extremely widely used, the malicious code was poorly hidden, and both libraries hadn't seen new releases since December 2018 and December 2015, respectively, meaning that any new release would have triggered a security audit for most professional developer teams.

As it was pointed out on GitHub yesterday, the malicious code involved in these incidents is almost identical to the one used in the compromise of the UAParser library in late October.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.