[SECURITY] coa is compromised - vue create

[socheatsok78]

Version

4.5.11

Environment info

System:
    OS: macOS 12.0.1
    CPU: (8) x64 Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
  Binaries:
    Node: 14.18.1 - /usr/local/opt/node@14/bin/node
    Yarn: 1.22.17 - /usr/local/bin/yarn
    npm: 6.14.15 - /usr/local/opt/node@14/bin/npm

Steps to reproduce

vue create example-project

Output

error /Users/socheat/Workspace/temp/example-project/node_modules/coa: Command failed.
Exit code: 1
Command: start /B node compile.js & node compile.js
Arguments:
Directory: /Users/socheat/Workspace/temp/example-project/node_modules/coa
Output:
/bin/sh: start: command not found
internal/modules/cjs/loader.js:905
  throw err;
  ^

Error: Cannot find module '/Users/socheat/Workspace/temp/example-project/node_modules/coa/compile.js'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15)
    at Function.Module._load (internal/modules/cjs/loader.js:746:27)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12)
    at internal/main/run_main_module.js:17:47 {




 ERROR  command failed: yarn

yarn why coa

yarn why v1.22.17
[1/4] 🤔  Why do we have the module "coa"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "coa@2.0.2"
info Reasons this module exists
   - "@vue#cli-service#@intervolga#optimize-cssnano-plugin#cssnano-preset-default#postcss-svgo#svgo" depends on it
   - Hoisted from "@vue#cli-service#@intervolga#optimize-cssnano-plugin#cssnano-preset-default#postcss-svgo#svgo#coa"
info Disk size without dependencies: "112KB"
info Disk size with unique dependencies: "364KB"
info Disk size with transitive dependencies: "536KB"
info Number of shared dependencies: 9
✨  Done in 0.90s.

What is expected?

NA

What is actually happening?

There was an error with https://github.com/veged/coa

Issue link veged/coa#99

[socheatsok78]

Please avoid using vue create before the package has been fixed. Seem like the package has been hacked to include a crypto related code. Currently affecting only Windows user.

See: veged/coa#99 (comment)

[Sofianio]

Same problem on macOS 11.6
what should we do? install older version of view cli?

[socheatsok78]

Same problem on macOS 11.6 what should we do? install older version of view cli?

NPM has removed the version contain the malicious code. You should be able to run the vue create again.
But please be await since the original author of the package is not responding to the veged/coa#99 issue yet.

[Sofianio]

I just tried with vue ui, I was able to create a project with no problems

[socheatsok78]

@veged wrote:
malware version was unpublished https://www.npmjs.com/package/coa (right last version 2.0.2) — but we still need ownership of package back (looks like NPM support doing something right now)

[socheatsok78]

I just tried with vue ui, I was able to create a project with no problems

Yes, everything is back to normal for now.

[pennal]

Unfortunately this is not the case for me, the creation of a new app is still failing:

Vue CLI v4.5.15
Failed to check for updates
✨  Creating project in /Users/lucas/Desktop/dev/test-project.
🗃  Initializing git repository...
⚙️  Installing CLI plugins. This might take a while...

npm ERR! code 1
npm ERR! path /Users/lucas/Desktop/dev/test-project/node_modules/coa
npm ERR! command failed
npm ERR! command sh -c start /B node compile.js & node compile.js
npm ERR! sh: start: command not found
npm ERR! node:internal/modules/cjs/loader:936
npm ERR!   throw err;
npm ERR!   ^
npm ERR!
npm ERR! Error: Cannot find module '/Users/lucas/Desktop/dev/test-project/node_modules/coa/compile.js'
npm ERR!     at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15)
npm ERR!     at Function.Module._load (node:internal/modules/cjs/loader:778:27)
npm ERR!     at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
npm ERR!     at node:internal/main/run_main_module:17:47 {
npm ERR!   code: 'MODULE_NOT_FOUND',
npm ERR!   requireStack: []
npm ERR! }
npm ERR!
npm ERR! Node.js v17.0.1

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/lucas/.npm/_logs/2021-11-04T15_37_09_785Z-debug.log
 ERROR  command failed: npm install --loglevel error --legacy-peer-deps

It looks like the infected package is still being pulled in. I tried clearing the cache, and upgrading everything to the latest version

[pennal]

Ok looks like the issue got fixed, ignore my previous message

[toro705]

I'm still having this problem, altho i've alreade clenaed the cache. Running npm i --legacy-peer-deps

[tcstory]

Ok looks like the issue got fixed, ignore my previous message

which version fix this issue? i still experenced the issue with 4.5.11

[tcstory]

i found that the latest version of coa on official registry and taobao registry had change to 2.0.2, but on my privary registry still is 3.1.3, sync to offical registry should fix the issue

[socheatsok78]

Please do not use anything version above 2.0.2. As it contains malicious code!

…

On Fri, 5 Nov 2021 at 1:32 PM 颜贵彬 ***@***.***> wrote: i found that the latest version of coa on official registry and taobao registry had change to 2.0.2, but on my privary registry still is 3.1.3, sync to offical registry should fix the issue — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#6813 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABBJMUIUGNCCEWVWJVTPDY3UKN27VANCNFSM5HLORV6Q> .

[lukaszkups]

Still having this issue as well, using 4.5.15 version :/