coa - isotope¹³

Incident Summary

coa NPM package maintainer hijack distributes malware

Attackers compromised maintainer credentials for the coa command-line argument parser and published malicious versions with Windows-focused password-stealing malware. The package's quiet place in dependency trees amplified the blast radius, pulling downstream consumers such as rc into the same poisoned npm current.

Date: 2021-11-04
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Data Exfiltration
Cause: Compromised Account/Credentials

What Was Affected

Package coa

LanguageJavascript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.org

Repository github.com/veged/coa

Compromised Versions

Incident Context

Motive: Credential Theft
Attribution: Individual Hacker
Transitive: No
Observed Duration: 0 days

Evidence

Compromised Artifacts

Current Artifacts and Analysis

Indicators and Changes

Hashes

sha256:cd2adb9c16e3c5373f77c4288ab017be03c3a7f8320a2506e9129a402c0c69d6
sha256:dc7a59c2d600db8f748f0a722e363527e3332a0fd7ffd7d24342a7de6125e9e0

External References

Source Data

Source record: oss/coa/meta.yaml