New “critical severity” alerts about malware buried in two npm package managers widely used by some of the largest names in IT heightened software supply chain security concerns again on Friday.
Two prominent npm package managers — the Coa parser and the rc configuration loader — have been hijacked and equipped with -stealing malware, according to separate GitHub alerts confirmed by the npm security team.
The npm security team confirmed that harmful code was published in versions of the package rc. s of the affected versions (1.2.9, 1.3.9, and 2.3.9) should immediately downgrade to 1.2.8 and monitor their computers for unusual activities.
The rc package is widely disseminated and used by large tech companies, with over 14 million s per week.
The same problem occurred in the Coa parser for command-line parameters. Coa is another link in the open-source software supply chain, with roughly 8.8 million s every week.
GitHub stated that “any computer with [the vulnerable] package installed or running should be regarded totally hacked.”
“All secrets and keys on that computer should be rotated from a different computer as soon as possible. The item should be uninstalled, but because the computer’s full control may have been granted to an outside entity, there’s no guarantee that doing so will remove any malicious software that resulted from its installation “the business added.
This is the second big npm package manager vulnerability involving malware put in a popular JavaScript library without the ’s knowledge. Security response professionals were hurrying in late October to assess the harm caused by crypto-mining and -stealing malware contained in ua-parser-js, a npm package (JavaScript library) with around 8 million weekly s.
Because of the software supply chain ramifications, the attack drew widespread attention, prompting GitHub to issue an urgent warning that any computer running the embedded npm package “should be considered fully hacked.”
“Three versions of the npm package ua-parser-js were released with malicious code. s of the impacted versions (0.7.29, 0.8.0, and 1.0.0) should upgrade immediately and monitor their computers for unusual activity, according to GitHub.
