Intelligers managed To get control of the NPM packet COA and release updates 2.0.3, 2.0.4, 2.1.1, 2.1.3 and 3.1.3, including malicious changes. The COA package that provides functions for parsing the command line arguments number is about 9 million downloads per week and is used as a dependency in 159 other NPM packets, including React-Scripts and VUE / CLI-SERVICE. The NPM administration has already deleted the release with malicious changes and blocked the publication of new versions before returning access to the repository of the main developer.
Attack was done through the breakdown of the project developer account. The added malicious changes are similar to the fact that the attack on users of the NPM package UAPARSER.JS was used at the UAPARSER.JS users, but were limited to the attack only on the WindowWS platform (empty plugs were left in blocks for Linux and MacOS). The executable file to perform MoneRo cryptocurrency mining was launched on the user system from an external host and started (Mainer XMRIG) and a library was installed to intercept passwords.
When generating a package with a malicious code, an error was made, which caused Failure when installing a package, so the problem was prompt The dissemination of malicious updates was identified and was blocked at an early stage. The user should make sure that they have the version of COA 2.0.2 and it is desirable to add to the Package.json of its projects to the working version in the case of re-compromising.