Table of Contents
November 8, 2021
|5m
How Can You Protect Your Computer From Infected ‘COA’ and ‘rc’ NPM Packages?
Recently, the globe has witnessed another supply chain attack. This time attackers cleverly infected two popular NPM packages: COA and rc, with password-stealing malware to create a backdoor on the victim computers. Let’s see how can you protect your computer from infected COA and rc NPM packages.
Victims Of The Infected NPM Packages:
No discrimination has been seen in terms of the victims. Since it is a supply chain attack, the one who installs the infected package would become a victim. It’s been said that these two NPM packages were downloaded 22 million times in a week of time altogether.
What Is NPM?
npm is the world’s largest Software Library(Registry). npm has more than 800,000 packages in its software registry. npm is not only a software registry but also a software Package Manager and Installer. It is released under an open-source license and made free to use. Anybody can download and npm and its public software packages without any registration or login. So many organizations use npm in their private developments.
How To Install NPM And Its Packages?
npm will get installed when you download and install Node.js. You should install Node.js to install npm. You can learn how to install or upgrade Node.js from this page.
What Are COA And rc NPM Packages?
COA (Command-Option-Argument) is a parser for command-line options. It aims to get maximum profit from formalization of your program API. You can read more about COA from its official site. rc is the non-configurable configuration loader. Visit this page to learn rc with its usage, formats, standards, and with live examples.
Infected Versions Of COA And rc Packages:
| NPM Package | Affected versions |
| COA | = 2.0.3 = 2.0.4 = 2.1.1 = 2.1.3 = 3.0.1 = 3.1.3 |
| rc | = 1.2.9 = 1.3.9 = 2.3.9 |
How To Protect Your Computer from Infected ‘COA’ And ‘rc’ NPM Packages?
If you are running COA with any one of the affected versions (v2.0.3 and above), then please downgrade your COA to 2.0.2 as soon as possible and check for suspicious activities.
In the same way, if you are running the affected versions (1.2.9, 1.3.9, and 2.3.9) of rc npm package on your computer, then downgrade your rc package to 1.2.8 as soon as possible and check for suspicious activities.
Any computer that has affected versions of COA and rc packages installed or running on them should be considered fully compromised and you should do these steps to neutralize the infections.
Unplug the network cable and isolate the machine from the network. You can keep the computer untouched if you want to carry out the threat analysis to identify IOCs.
Initiate the full image backup or filesystem backup from a clean backup snapshot. Restore the machine with clean image.
If you don’t have the backup, then immediately downgrade the npm package to the ininfected versions as suggested above.
Removal of the package doesn’t guarantee that infection has been removed. All secrets and keys stored on that computer should be rotated immediately from a different computer.
Run all the security checks on the infected system and make sure your machine is not infected with the malware.
Run these checks on the suspected machines:
Check for unusual accounts created, especially in the administrator’s group
Check for unusual big files on the storage, bigger than five GB
Check for any unusual files added recently in system folders
Check for files using the “hidden” attribute Property
Check for unusual programs launched at boot time in the windows registry
Check all running processes for unusual/unknown entries, especially processes with username “system” and “administrator.”
Check user’s autostart folders
Check for unusual/unexpected network services installed and started
Check for unusual network activity
Check at the opened sessions on the machine
Check for unusual automated tasks
Check for unusual log entries
Check for any rootkit
Run an anti-virus product on the whole disk to check for any malware
How to downgrade the npm package?
Step 1. Install the older version of npm package
Specify the version with ‘@’ char either to install or uninstall the npm package.
Syntax:npm install <package>@<version>
Ex:
$ npm install coa@2.0.2
$ npm install rc@1.2.8
Step 2. Check the versions of npm packages
It is easy to see the versions of npm packages with this simple command.
Syntax:
npm view <package> versions
Ex:
$ npm view coa versions
$ npm view rc versions
Step 3. Uninstall the affected versions of npm packages
Since we don’t have the affected versions of COA and rc npm packages, there is nothing to remove from our server. if you see affected versions on your machine, uninstall the package with the version number like the installation process.
Syntax:
npm uninstall <package>@<version>
Ex:1. npm uninstall coa@2.0.32. npm uninstall coa@2.0.43. npm uninstall rc@1.2.9
For information: Click here
We hope this post would help you in learning How Can You Protect Your Computer from Infected ‘COA’ and ‘rc’ NPM Packages. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
