coa / rc account-compromise malware (npm, 2021)
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flags manifest pins matching the known-malicious coa/rc releases published during the 2021-11-04 npm account compromise (password-stealer + cryptominer payload).
Why it matters
coa and rc were both compromised through the same hijacked npm publisher account on 2021-11-04. The attacker published malicious versions under version numbers deliberately jumped far ahead of the real latest release (so package managers would treat them as the newest available), each running a postinstall payload that stole passwords and mined cryptocurrency. Both packages are common transitive dependencies of build tooling, so the blast radius was large. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.
How to fix it
Remove any pin matching the flagged coa/rc versions and reinstall so your package manager resolves a clean release published after the incident. Treat any machine that installed one of these versions as compromised: rotate credentials and rebuild affected CI images.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo