In a different supply chain attack on open-source software repositories, two widely deployed npm packages with nearly 22 million downloads per week were discovered to be infected with malicious code after unauthorized access to the respective developer’s accounts was obtained.
coa and rc npm Packages Hijacked
The first one is the popular npm library called coa (Command-Option-Argument), a parser for command-line options which was hijacked last week with malicious code injected into it, briefly affecting React pipelines all over the world.
The ‘coa’ library has over 8.700,000 million weekly downloads on npm and is used by nearly 5 million open source repositories on GitHub.
The second component is called rc, a “non-configurable configuration loader for lazy people” which was hijacked to run malicious code in Windows environments a few hours after the coa hijacking discovery. On average, the ‘rc’ library receives 14 million downloads every week.
Last Thursday, developers everywhere were shocked to see new releases for npm library ‘coa’—a project that hasn’t been touched for years, appear on npm out of the blue.
coa is a command-line options parser for Node.js projects. According to BleepingComputer, the last stable variant 2.0.2 for the project was published three years ago.