Popular npm library ‘coa’ was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world.
The ‘coa’ library, short for Command-Option-Argument, receives about 9 million weekly downloads on npm, and is used by almost 5 million open source repositories on GitHub.
Hours after this discovery, another commonly used npm component ‘rc’ was also found to have been hijacked. The ‘rc’ library nets 14 million downloads a week on average.
Malicious code injected into ‘coa’ releases
Today, developers around the world were left surprised to notice new releases for npm library ‘coa’—a project that hasn’t been touched for years, unexpectedly appear on npm.
‘coa’ is a command-line options parser for Node.js projects. The last stable version 2.0.2 for the project was released in December 2018.
But, several suspicious versions 2.0.3, 2.0.4, 2.1.1, 2.1.3, and 3.1.3 began appearing on npm as of a few hours ago, breaking React packages that depend on ‘coa’.