Security Advisory IBEXA-SA-2021-009: Malicious code in NPM veged/coa

Publication date: 04/11/2021, 14:36

Severity: High

Affected versions: npm veged/coa v2.0.3+, v2.1+
Resolving versions: npm veged/coa v2.0.2

This security advisory is about a vulnerability in the NPM package "veged/coa" v2.0.3 and some later versions. The package has been compromised and appears to include cryptomining and password stealing malware.

NPM has resolved the issue by unpublishing v2.0.3 and newer versions, and have marked v2.0.2 as the last released version. Please make sure you run this version.

If you have been running higher version numbers than this, verify that you are not affected by any after effects. This is especially important if you have been running this in a Windows environment, as the malicious code was targeted towards Windows. Your operating system may be compromised.

For more information please see https://github.com/veged/coa/issues/99

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2021-009

Malicious code in NPM veged/coa