Security comment on popular npm library ’coa’ hijacked with malicious code injection
November 2021 by Jasson Casey, CTO at Beyond Identity
Following the news that popular npm library ’coa’ was recently hijacked to steal user passwords – Jasson Casey, CTO at Beyond Identity offers the following comment:
“As there are limited to no automatic controls around verified identities of developers and software authorship, these types of attacks are trivial given a compromised developer machine or lost access key.
The more subtle attacks such as uncommenting a line of code re-introducing a vulnerability are more concerning. These attacks cannot be protected against with code reviews, which are prone to error, but only with verified identity of software authorship.”