The discussion even turned up a humorous (yet informative) image posted by ‘user Luuuuuis’ that portrays how dangerous compromised components can be:
Image posted by user Luuuuuis: https://github.com/veged/coa/issues/99 A substantial amount of companies and software developers utilize some of the NPM open-source packages for their projects. These packages are not sufficiently secure, which can lead to cases like this. A small compromised component in a package like this can have overarching domino effect consequences for organizations that are undertaking large projects and using these packages somewhere in the process.
Veged/coa NPM Repository Compromised
The vulnerability is being exploited in the wild for malicious purposes. It is a critical risk vulnerability. Further details reveal that an Embedded malicious backdoor code has been found. The in-depth technical analysis reveals that the vulnerability allows a remote attacker to gain unauthorized access to the application. The vulnerability exists due to a presence of embedded malicious functionality in the application code (a.k.a the backdoor) that allows a remote attacker to gain unauthorized access to the application. The NPM package has been compromised and includes crypto mining and password-stealing malware. This is also not the first time an NPM package has been compromised with crypto mining and password-stealing malware.
Vulnerable Releases
coa: v2.0.3, v2.1 are vulnerable to the threat.
Important User Info
According to GitHub user, Roberto Wesley Overdijk the current status of the situation is that NPM has removed the compromised versions as well as having, “blocked new versions from being published temporarily while recovering access to the package.” Ibexa has likewise confirmed that v.2.0.3 and newer releases have been unpublished, “NPM has resolved the issue by unpublishing v2.0.3 and newer versions, and have marked v2.0.2 as the last released version. Please make sure you run this version.” Since the afflicted versions have been removed, there is no fix required, however, users should check back on the GitHub page for the latest information.
