Malware in npm packages


Malware in npm packages became one of the new software threats that may cause a potential impact on security.

Not so long ago, one of the very popular JavaScript libraries named UAParser.js was hacked and modified with malicious code. The modification included cryptocurrency mining functions and scripts to download and launch binary packages from remote servers.

UAParser.js is a JavaScript library developed to read information stored in the user-agent strings, and it is widely used. According to the npm page of the project, the number of weekly downloads reaches around 6 to 7 million. And the official site states that this software is used by such giants as Amazon, Apple, Dell, Facebook, HPE, IBM, Microsoft, Mozilla, Oracle, Shopify, Slack, Reddit, and others. 

This makes the attack even more significant. The US Cybersecurity and Infrastructure Security Agency published a security alert about the incident.

Later three more infected packages were detected. They’re named klow, klown and okhsa. However, none of them were downloaded more than 150 times when the threat was detected.

And this month, two more packages were affected - coa, a command-line parser, and rc - a popular lean configuration library. They contained the code to install trojan malware from the DanaBot family. It is targeted to gather personal information and can scrape the user credentials, take screenshots and capture files from the infected computer. The attack is quite massive, taking into account how popular they are. For example, coa has around 9 million weekly downloads and rc - up to 14 million.

What to do?

First of all, you need to check if you have any vulnerable packages installed. To do it, please run the following console commands:

To check globally:

npm list -g coa

npm list -g rc

npm list -g ua-parser-js

Also, you need to check the applications that use npm. To do that, switch to the project directory using console command cd and run the commands described above.

Once you see the output of the commands, pay attention to the versions of the used packages. The affected versions are:


  • 0.7.29
  • 0.8.0
  • 1.0.0


  • 1.2.9
  • 1.3.9
  • 2.3.9


  • 2.0.3
  • 2.0.4
  • 2.1.1
  • 2.1.3
  • 3.0.1
  • 3.1.3

If you see that one of the affected versions is used, you’ll need to change the package as soon as possible. Also, you may directly set the correct version to be used in your project in package.json (for example, coa@2.0.2). After that, you will need to scan the computer for malware.

And according to GitHub’s security team advisory, additional security measures should be implemented:

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Also, it should be mentioned that if you find malware in an npm package, you can submit the report to the npm Security team here.

Reading next


Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.