2 min read

Popular NPM Repositories Compromised in Man-in-the-Middle Attack

Silviu STAHIE

November 08, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Popular NPM Repositories Compromised in Man-in-the-Middle Attack

Unknown hackers compromised two NPM repositories that have been used by millions of people in the past, trying to establish the foundation of a man-in-the-middle attack and deploying a banking trojan.

We’re used to hearing about hackers compromising networks and apps, or simply deploying malware through various other methods, but man-in-the-middle attacks might not seem all that common. Unfortunately, just because they don’t often make the news doesn’t mean they’re rare. Compromising libraries or apps before they reach consumers leaves few traces and can take a long time before it’s discovered.

In this case, NPM issued an advisory warning people that a couple of libraries, ‘coa’ and ‘rc’ have been compromised and infected with malware.

“The npm package coa had versions published with malicious code. Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity,” stated NPM on GitHub. A similar advisory is available for the ‘rc’ package.

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” NPM added.

The malware attackers deployed seem to be a DanaBot variant, allowing criminals to capture and download information from victims’ devices.

Unlike typosquatting attacks, in which criminals create infected libraries with names very similar to the official ones, the attackers managed to compromise the official repositories and replace the files. That’s why the NPM team issued a statement on Twitter explaining what likely happened.

“This morning we detected multiple versions of the “coa” package published with malicious code due to a compromised account of a maintainer,” said the team. “We quickly removed the compromised versions […] and the compromised account has been temporarily disabled.”

They also advised other maintainers to enable multi-factor authentication as soon as possible, indicating the likely path taken by attackers to compromise the repositories.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits
Silviu STAHIE

January 31, 2023

1 min read
Hackers steal 10 million customer details from JD Sports Hackers steal 10 million customer details from JD Sports
Graham CLULEY

January 30, 2023

2 min read
North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022 North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022
Silviu STAHIE

January 25, 2023

1 min read