Critical npm Package Hijack: How coa and rc Were Compromised and What to Do

Recently, the widely used npm package UAParser.js, employed by tech giants such as Google, Amazon, Facebook, IBM and Microsoft, was hijacked, affecting millions of users.

The same fate has now befallen two other popular npm packages, coa and rc . The coa library, short for Command‑Option‑Argument, receives about 9 million weekly downloads and is used by roughly 5 million open‑source projects on GitHub.

Within hours of the coa compromise being discovered, the rc library—averaging 14 million weekly downloads and also used by nearly 5 million GitHub repositories—was found to be maliciously altered.

Compared with the earlier UAParser.js attack, the malicious code injected into coa is almost identical but more severe: it can install ransomware, steal passwords from browsers (Chrome, Firefox, Opera, Internet Explorer, Safari), record keystrokes and screenshots, and transmit the data to attackers.

npm has already removed the infected versions. Developers are strongly advised to check whether their projects are affected and to lock coa to version 2.0.2 and rc to version 1.2.8.

Finally, enable two‑factor authentication on your npm account to prevent future compromises.