Security advisory: IBEXA-SA-2021-009

Malicious code in NPM veged/coa
Publication date:
04/11/2021, 14:36


Affected versions: npm veged/coa v2.0.3+, v2.1+
Resolving versions: npm veged/coa v2.0.2

This security advisory is about a vulnerability in the NPM package "veged/coa" v2.0.3 and some later versions. The package has been compromised and appears to include cryptomining and password stealing malware.

NPM has resolved the issue by unpublishing v2.0.3 and newer versions, and have marked v2.0.2 as the last released version. Please make sure you run this version.

If you have been running higher version numbers than this, verify that you are not affected by any after effects. This is especially important if you have been running this in a Windows environment, as the malicious code was targeted towards Windows. Your operating system may be compromised.

For more information please see

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories