Malware Backdoor in NPM packages Discovered After 22 Million Downloads

Two popular NPM packages with combined weekly downloads of roughly 22 million were found to be infected with malicious code by gaining illegal access to the respective developer’s accounts, in yet another supply chain hack targeting open-source software repositories.

The two libraries in question are “coa,” a command-line option parser, and “rc,” a configuration loader, which were both altered to include “similar” password-stealing malware by an anonymous malicious attacker.

What is an NPM Package?

For the JavaScript runtime environment Node.js, npm (Also known as Node Package Manager) is the default package manager. It comprises a command-line client, commonly known as npm, and the npm registry, an online database of public and paid-for private packages. The client may access the registry, and the npm website can be used to browse and search for available packages. npm, Inc. is in charge of the package manager and registry.

NPM Package

What is COA?


A Command-Option-Argument or COA is a command-line option parser that aims to get the most out of formalizing your program’s API. When you construct a definition in terms of commands, options, and arguments, the relevant results are generated automatically like Program API for using COA-based apps as modules, Command line help text, and completion of the shell.

According to a GitHub advisory published on November 4, all versions of coa starting with 2.0.3 and above — 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, and 3.1.3 — are affected, and users of the affected versions are advised to downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity.

What is rc?

This is the lazy person’s non-configurable configuration loader. Your configuration settings will be combined with the defaults you choose and a  predetermined defaults object will be changed if you pass it in.

Similarly, malware has been discovered in versions 1.2.9, 1.3.9, and 2.3.9 of rc, with an independent advisory advising users to downgrade to version 1.2.8. This package should be considered compromised on any machine that has it installed or running. All secrets and keys on that computer should be rotated from a different computer as soon as possible. The package should be uninstalled, but because the computer’s entire control may have been granted to an outside entity, no surety doing so will remove any dangerous software that resulted from its installation.

Systweak Antivirus: Your real-time protection to Malware

Systweak Antivirus

Systweak Antivirus provides real-time protection for your computer against all types of malicious attacks. It also includes the StopAllAds browser plugin, which filters annoying adverts and protects the computer by blocking the download or access of malware and other types of harmful software. Systweak Antivirus protects your computer from exploits 24 hours a day, 365 days a year. It improves the current performance of the computer by serving as a final solution for all security requirements.

Real-time security. Systweak Antivirus is one of the few antivirus solutions that can detect potential threats/apps based on how they behave on your computer.

It’s quite simple to use. This program has a straightforward user interface that your entire family can utilize.

Light-Weight. Because it will not hog your CPU resources, software that consumes the fewest system resources is regarded as the finest.

Secure Web Browsing. It is a term that refers to the act of browsing the internet in This program allows you to access the internet while using an ad blocker plugin to filter advertisements.

Unwanted things should be removed from the computer’s startup menu. Users can disable components that cause the computer to take longer to start.

The Final Word On 22 million downloads for NPM Packages with a backdoor for malware

Additional investigation of the malware samples reveals that it is a DanaBot variation, a Windows virus for stealing credentials and passwords, repeating two similar occurrences last month that resulted in the compromising of UAParser.js and the publication of rogue, typosquatting Roblox NPM packages. “We highly recommend using on your NPM account to safeguard your accounts and packages from similar attacks,” NPM warned in a tweet.

Follow us on social media – Facebook, Instagram, and YouTube. For any queries or suggestions, please let us know in the comments section below. We would love to get back to you with a solution. We regularly post tips and tricks, along with answers to common issues related to technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe Now & Never Miss The Latest Tech Updates!

Enter your e-mail address and click the Subscribe button to receive great content and coupon codes for amazing discounts.

Don't Miss Out. Complete the subscription Now.