Hacker News new | ask | show | jobs
by capableweb 1693 days ago
What a worthless advisory, how about sharing who could possibly be affected at the very top, or at least anywhere?

Going to the issue, it seems the `preinstall` field was changed to `start /B node compile.js & node compile.js",` which means this would only run on Windows machines, everyone else seems to be unaffected.

Here is how you can find out if you have the affected package on your machine/instance:

    find ~/projects/ -name "*coa*" | xargs -I {} jq .version {}/package.json 2>/dev/null
Assumes you have `find`, `xargs` and `jq` installed, will print all versions of coa it can find. Seems any version above 2.0.3 is bad.

Edit: is anyone sitting on the source for `compile.js` as mentioned? Would be interesting to see.
3 comments
perihelions 1693 days ago
"Bleeping Computer" published screenshots of it (and also has some analysis),

https://www.bleepingcomputer.com/news/security/popular-coa-n...

link
d3nj4l 1693 days ago
This should be a top-level comment, if not a post in its own right - it explained the entirety of the situation way better than TFA.
link
strogonoff 1693 days ago
That post doesn’t say much about `coa`, besides “new versions started appearing and builds started failing”. The bug report linked from GitHub advisory does a good job of describing the issue, though: https://github.com/veged/coa/issues/99
link
d3nj4l 1693 days ago
That's fair, but it describes the change in great detail, and makes it easier to figure out that the primary issue was only on Windows systems.
link
isodev 1693 days ago
So if I’m reading this correctly, only Windows hosts are directly affected by the malware. On macOS and Linux one only needs to rollback to a healthy version of the package?
link
inbx0 1693 days ago
-name "*coa*" is a bit too eager. It will flag other packages too, like the fairly popular babel-plugin-nullish-coalescing
link
resoluteteeth 1693 days ago
If you have an index for the locate command it's probably easier to do:

locate "/coa/package.json" | xargs -I {} jq .version {} 2>/dev/null

link
salzig 1693 days ago
maybe print the command (`-t`) xargs executes, to make identification easier.
link
resoluteteeth 1693 days ago
It's sort of a moot point since if you have an affected version you have to assume your whole system is compromised anyway in the case of this type of issue.
link
vips7L 1693 days ago
On Windows (with powershell):

    gci -r -dir | where name -eq coa | % { gc $_/package.json -EA si | ConvertFrom-Json | select version }
link