New “critical severity” alerts about malware buried in two npm package managers widely used by some of the largest names in IT heightened software supply chain security concerns again on Friday.
Two prominent npm package managers — the Coa parser and the rc configuration loader — have been hijacked and equipped with password-stealing malware, according to separate GitHub alerts confirmed by the npm security team.
The npm security team confirmed that harmful code was published in versions of the package rc. Users of the affected versions (1.2.9, 1.3.9, and 2.3.9) should immediately downgrade to 1.2.8 and monitor their computers for unusual activities.
The rc package is widely disseminated and used by large tech companies, with over 14 million downloads per week.
The same problem occurred in the Coa parser for command-line parameters. Coa is another link in the open-source software supply chain, with roughly 8.8 million downloads every week.
GitHub stated that “any computer with [the vulnerable] package installed or running should be regarded totally hacked.”
“All secrets and keys on that computer should be rotated from a different computer as soon as possible. The item should be uninstalled, but because the computer’s full control may have been granted to an outside entity, there’s no guarantee that doing so will remove any malicious software that resulted from its installation “the business added.
This is the second big npm package manager vulnerability involving malware put in a popular JavaScript library without the user’s knowledge. Security response professionals were hurrying in late October to assess the harm caused by crypto-mining and password-stealing malware contained in ua-parser-js, a npm package (JavaScript library) with around 8 million weekly downloads.
Because of the software supply chain ramifications, the attack drew widespread attention, prompting GitHub to issue an urgent warning that any computer running the embedded npm package “should be considered fully hacked.”
“Three versions of the npm package ua-parser-js were released with malicious code. Users of the impacted versions (0.7.29, 0.8.0, and 1.0.0) should upgrade immediately and monitor their computers for unusual activity, according to GitHub.
