Recently, the globe has witnessed another supply chain attack. This time attackers cleverly infected two popular NPM packages: COA and rc, with password-stealing malware to create a backdoor on the victim computers. Let’s see how can you protect your computer from infected COA and rc NPM packages.
Victims Of The Infected NPM Packages:
No discrimination has been seen in terms of the victims. Since it is a supply chain attack, the one who installs the infected package would become a victim. It’s been said that these two NPM packages were downloaded 22 million times in a week of time altogether.
What Is NPM?
npm is the world’s largest Software Library(Registry). npm has more than 800,000 packages in its software registry. npm is not only a software registry but also a software Package Manager and Installer. It is released under an open-source license and made free to use. Anybody can download and npm and its public software packages without any registration or login. So many organizations use npm in their private developments.
How To Install NPM And Its Packages?
npm will get installed when you download and install Node.js. You should install Node.js to install npm. You can learn how to install or upgrade Node.js from this page.
What Are COA And rc NPM Packages?
COA (Command-Option-Argument) is a parser for command-line options. It aims to get maximum profit from formalization of your program API. You can read more about COA from its official site.
rc is the non-configurable configuration loader. Visit this page to learn rc with its usage, formats, standards, and with live examples.
Infected Versions Of COA And rc Packages:
|NPM Package||Affected versions|
How To Protect Your Computer from Infected ‘COA’ And ‘rc’ NPM Packages?
If you are running COA with any one of the affected versions (v2.0.3 and above), then please downgrade your COA to 2.0.2 as soon as possible and check for suspicious activities.
In the same way, if you are running the affected versions (1.2.9, 1.3.9, and 2.3.9) of rc npm package on your computer, then downgrade your rc package to 1.2.8 as soon as possible and check for suspicious activities.
Any computer that has affected versions of COA and rc packages installed or running on them should be considered fully compromised and you should do these steps to neutralize the infections.
- Unplug the network cable and isolate the machine from the network. You can keep the computer untouched if you want to carry out the threat analysis to identify IOCs.
- Initiate the full image backup or filesystem backup from a clean backup snapshot. Restore the machine with clean image.
- If you don’t have the backup, then immediately downgrade the npm package to the ininfected versions as suggested above.
- Removal of the package doesn’t guarantee that infection has been removed. All secrets and keys stored on that computer should be rotated immediately from a different computer.
- Run all the security checks on the infected system and make sure your machine is not infected with the malware.
Run these checks on the suspected machines:
- Check for unusual accounts created, especially in the administrator’s group
- Check for unusual big files on the storage, bigger than five GB
- Check for any unusual files added recently in system folders
- Check for files using the “hidden” attribute Property
- Check for unusual programs launched at boot time in the windows registry
- Check all running processes for unusual/unknown entries, especially processes with username “system” and “administrator.”
- Check user’s autostart folders
- Check for unusual/unexpected network services installed and started
- Check for unusual network activity
- Check at the opened sessions on the machine
- Check for unusual automated tasks
- Check for unusual log entries
- Check for any rootkit
- Run an anti-virus product on the whole disk to check for any malware
How to downgrade the npm package?
- Install the older version of npm packageSpecify the version with ‘@’ char either to install or uninstall the npm package.
$ npm install firstname.lastname@example.org
$ npm install email@example.com
- Check the versions of npm packagesIt is easy to see the versions of npm packages with this simple command.
npm view <package> versions
$ npm view coa versions
$ npm view rc versions
- Uninstall the affected versions of npm packagesSince we don’t have the affected versions of COA and rc npm packages, there is nothing to remove from our server. if you see affected versions on your machine, uninstall the package with the version number like the installation process.
npm uninstall <package>@<version>
1. npm uninstall firstname.lastname@example.org
2. npm uninstall email@example.com
3. npm uninstall firstname.lastname@example.org