rc
rc NPM package includes malicious coa dependency
The rc configuration loader was compromised indirectly after attackers gained control of coa, one of its dependencies, and published malicious releases. When rc moved onto the poisoned coa versions, it began carrying password-stealing malware transitively, proving that a clean package can still ship dirty code.
- Date
- 2021-11-04 to 2021-11-05
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- dependency
- Impact
- Data Exfiltration
- Cause
- Malicious Dependency
What Was Affected
Package
rc
LanguageJavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.org
Repository
github.com/dominictarr/rc
Compromised Versions
Incident Context
- Motive
- Credential Theft
- Attribution
- Compromised Dependency
- Transitive
- Yes
- User Impact
- 10000000
- Observed Duration
- 1 days
Evidence
Compromised Artifacts
- registry.npmjs.org/rc/-/rc-1.2.9.tgz
- registry.npmjs.org/rc/-/rc-1.3.9.tgz
- registry.npmjs.org/rc/-/rc-2.3.9.tgz
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:47e42e13c821b68a5e7a60114ac739bcb22365c41f0b5dcefa8632ce977a5f53sha256:3bbc2a836422ea9c327bb3e7b8429b3b6a878dc25811e19869bb48e0b933c089
External References
Source Data
Source record: oss/rc/meta.yaml