Home / Threat Intelligence bulletins / More NPM libraries hijacked for credential theft


Following on from the ua-parser-js supply chain attack seen last month, 2 more npm libraries have been hijacked to distribute DanaBot malware.

The packages `coa` and `rc` both had malicious code added to their repositories which would install DanaBot malware. The scripts used commands only found on Microsoft Windows, meaning other operating systems would not be affected.


The malware installed could be used to steal passwords from web browsers, email accounts and other locations on the machine as well as record keystrokes and take screenshots.

Vulnerability Detection

Check for the existence of the malicious files compile.js, compile.bat, sdd.dll
Check network logs for connections to the malicious site pastorcryptograph[.]at

Affected Products

`coa` versions 2.0.3 , 2.0.4 , 2.1.1 , 2.1.3 , 3.1.3
`rc` versions 1.2.9 , 1.3.9 , 2.3.9

Containment, Mitigations & Remediations

Revert to safe versions (coa 2.0.2, rc 1.2.8).
Any computer found running the malicious code should be considered compromised and credentials rotated.

Multi Factor Authentication (MFA) is encouraged as a good mitigation against stolen credentials being abused.

Indicators of Compromise



Threat Landscape

DanaBot was first reported by ProofPoint in 2018. It’s used to steal credentials which can then be sold to other threat actors or used for banking fraud.

Reported DanaBot activity has been low for the past year up until the ua-parser-js compromise last month.

Mitre Methodologies

T1195.001 – Compromise Software Dependencies and Development Tools
T1555 – Credentials from Password Stores

Further Information

Security Advisory 2021-062 – NPM Libraries Hijacked

Embedded malware in coa

Embedded malware in rc

coa 2.0.2 → 2.0.4

Analysis of the malware