Open Source 2021-11-04 · 1 day ·Data Exfiltration

rc npm releases carried malware

Attackers published rc 1.2.9, 1.3.9, and 2.3.9 with malicious postinstall code. The same account-takeover wave also hit coa.

Story

rc was not only a downstream casualty of coa. npm and GitHub advisories identify three malicious rc releases: 1.2.9, 1.3.9, and 2.3.9. They appeared during the same November 2021 account-takeover wave that hit coa.

The injected install path ran obfuscated TypeScript, detected the operating system, and downloaded platform-specific shell or batch code. On Windows, reporting tied the chain to a DLL detected as Qakbot.

The release pattern was conspicuous. rc had not shipped a new release since December 2015, so a sudden new version in a package with more than ten million weekly downloads drew attention quickly. npm removed the affected versions.

GitHub's advisory treated any machine that installed or ran the affected versions as fully compromised and recommended downgrading to 1.2.8, rotating secrets from a separate system, and investigating for persistence.

Affected Artifacts

rc

npm · repository · Source Archive

Observed: 2021-11-04 to 2021-11-05
Compromised Versions: 1.2.9

1.3.9

2.3.9
Fixed: Not listed
Hashes: sha256:47e42e13c821b68a5e7a60114ac739bcb22365c41f0b5dcefa8632ce977a5f53

sha256:3bbc2a836422ea9c327bb3e7b8429b3b6a878dc25811e19869bb48e0b933c089
Evidence: distribution: registry.npmjs.org/rc/-/rc-1.2.9.tgz, distribution: registry.npmjs.org/rc/-/rc-1.3.9.tgz, distribution: registry.npmjs.org/rc/-/rc-2.3.9.tgz, mirror: snyk.io/blog/npm-security-malicious-code-in-rc-and-coa-packages , +4 more

Incident Context

Motive: Credential Theft
Cause: Compromised Account Credentials
Transitive: Yes
User Impact: 10000000

External References

Malware found in coa and rc, two npm packages with 23M weekly downloadstherecord.media
Malicious code found in npm package rc and coasnyk.io
Embedded malware in rcgithub.com

Source record: oss/attacks/rc/meta.yaml