{ "id": "4131ca49-bd14-4858-964f-d22f0aa96c18", "created_at": "2026-04-06T00:22:34.122675Z", "updated_at": "2026-04-10T03:20:04.989791Z", "deleted_at": null, "sha1_hash": "6d933c0f8bf3dfefee768998013e338da50a74ae", "title": "Popular NPM Repositories Compromised in Man-in-the-Middle Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67720, "plain_text": "Popular NPM Repositories Compromised in Man-in-the-Middle\r\nAttack\r\nBy Silviu STAHIE\r\nArchived: 2026-04-05 17:12:23 UTC\r\nUnknown hackers compromised two NPM repositories that have been used by millions of people in the past,\r\ntrying to establish the foundation of a man-in-the-middle attack and deploying a banking trojan.\r\nWe’re used to hearing about hackers compromising networks and apps, or simply deploying malware through\r\nvarious other methods, but man-in-the-middle attacks might not seem all that common. Unfortunately, just\r\nbecause they don’t often make the news doesn’t mean they’re rare. Compromising libraries or apps before they\r\nreach consumers leaves few traces and can take a long time before it’s discovered.\r\nIn this case, NPM issued an advisory warning people that a couple of libraries, ‘coa’ and ‘rc’ have been\r\ncompromised and infected with malware.\r\n“The npm package coa had versions published with malicious code. Users of affected versions (2.0.3 and above)\r\nshould downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity,” stated NPM on\r\nGitHub. A similar advisory is available for the ‘rc’ package.\r\n“Any computer that has this package installed or running should be considered fully compromised. All secrets and\r\nkeys stored on that computer should be rotated immediately from a different computer. The package should be\r\nremoved, but as full control of the computer may have been given to an outside entity, there is no guarantee that\r\nremoving the package will remove all malicious software resulting from installing it,” NPM added.\r\nThe malware attackers deployed seem to be a DanaBot variant, allowing criminals to capture and download\r\ninformation from victims’ devices.\r\nUnlike typosquatting attacks, in which criminals create infected libraries with names very similar to the official\r\nones, the attackers managed to compromise the official repositories and replace the files. That’s why the NPM\r\nteam issued a statement on Twitter explaining what likely happened.\r\n“This morning we detected multiple versions of the “coa” package published with malicious code due to a\r\ncompromised account of a maintainer,” said the team. “We quickly removed the compromised versions […] and\r\nthe compromised account has been temporarily disabled.”\r\nThey also advised other maintainers to enable multi-factor authentication as soon as possible, indicating the likely\r\npath taken by attackers to compromise the repositories.\r\nhttps://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack\r\nPage 1 of 2\n\nSource: https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack\r\nhttps://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack" ], "report_names": [ "popular-npm-repositories-compromised-in-man-in-the-middle-attack" ], "threat_actors": [], "ts_created_at": 1775434954, "ts_updated_at": 1775791204, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d933c0f8bf3dfefee768998013e338da50a74ae.pdf", "text": "https://archive.orkl.eu/6d933c0f8bf3dfefee768998013e338da50a74ae.txt", "img": "https://archive.orkl.eu/6d933c0f8bf3dfefee768998013e338da50a74ae.jpg" } }