Connect with us

Plato Vertical Search

Cyber Security

“Critical Severity” Warnings About Malware Embedded in Two npm Packages

New “critical severity” alerts about malware buried in two npm package managers widely used by some of the largest names in IT heightened software supply chain security concerns again on Friday.

Two prominent npm package managers — the Coa parser and the rc configuration loader — have been hijacked and equipped with password-stealing malware, according to separate GitHub alerts confirmed by the npm security team.

The npm security team confirmed that harmful code was published in versions of the package rc. Users of the affected versions (1.2.9, 1.3.9, and 2.3.9) should immediately downgrade to 1.2.8 and monitor their computers for unusual activities.

The rc package is widely disseminated and used by large tech companies, with over 14 million downloads per week.

The same problem occurred in the Coa parser for command-line parameters. Coa is another link in the open-source software supply chain, with roughly 8.8 million downloads every week.

GitHub stated that “any computer with [the vulnerable] package installed or running should be regarded totally hacked.”

Advertisement. Scroll to continue reading.

“All secrets and keys on that computer should be rotated from a different computer as soon as possible. The item should be uninstalled, but because the computer’s full control may have been granted to an outside entity, there’s no guarantee that doing so will remove any malicious software that resulted from its installation “the business added.


Sierra Wireless Revealed that its Internal IT Systems were Hit by a Ransomware Attack

This is the second big npm package manager vulnerability involving malware put in a popular JavaScript library without the user’s knowledge. Security response professionals were hurrying in late October to assess the harm caused by crypto-mining and password-stealing malware contained in ua-parser-js, a npm package (JavaScript library) with around 8 million weekly downloads.

Because of the software supply chain ramifications, the attack drew widespread attention, prompting GitHub to issue an urgent warning that any computer running the embedded npm package “should be considered fully hacked.”

“Three versions of the npm package ua-parser-js were released with malicious code. Users of the impacted versions (0.7.29, 0.8.0, and 1.0.0) should upgrade immediately and monitor their computers for unusual activity, according to GitHub.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.


Advertisement. Scroll to continue reading.

Related Streams


Most internet traffic comprises bots. According to a report by the security firm Imperva, persistent bots accounted for 57% of the internet traffic. The...

Cyber Security

Cyber ​​security is a collection of new technologies, solutions and practical processes put in place to provide more protection for computer devices and data....

Blockchain News

Ethereum DeFi users reached a historic high of 4 million based on continued adoption. (Read More) PlatoAi. Web3 Reimagined. Data Intelligence Amplified. Click here...

Blockchain News

By the close of the year, Bitcoin (BTC) is set to make the highest transfer volume of $45 trillion, a scenario not seen in...