{"id":3644,"date":"2021-11-08T18:45:10","date_gmt":"2021-11-08T13:15:10","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3644"},"modified":"2021-11-08T18:45:17","modified_gmt":"2021-11-08T13:15:17","slug":"popular-coa-npm-library-seized-to-hijack-user-credentials","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/","title":{"rendered":"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials"},"content":{"rendered":"\n

Well-known npm library \u2018coa\u2019 was stealing today with malicious code inserted into it, short-lived affecting React pipelines across the world. The \u2018coa\u2019 library, short for Command-Option-Argument, accepts around 9 million weekly downloads on npm and is utilized by almost 5 million open source repositories on GitHub. <\/strong><\/p><\/p>\n\n\n\n

How does Malicious Code insertion Affect the release of \u2018coa\u2019?<\/strong><\/h2>\n\n\n\n

Recently, developers around the world were left surprised to notice new updates for npm library by \u2018coa\u2019 \u2013 a project that has not been touched for years, unexpectedly comes on npm. \u2018coa\u2019 is a command-line option parser for Node.js projects. The prior stable version 2.0.2 for the project was released in December 2018.<\/p><\/p>\n\n\n\n

But, some suspicious versions 2.0.3, 2.0.4, 2.1.1, 2.1.3, and 3.1.3 start coming on npm as of a few hours ago, breaking React packages that depend on \u2018coa\u2019.<\/p><\/p>\n\n\n\n

\"Popular-\u2018coa\u2019-NPM-library-Seized-to-hijack-User-Credentials-image1\"<\/figure><\/div>\n\n\n\n

The other GitHub user with handle ELBidouilleur saw one of these \u2018coa\u2019 versions, 2.1.3 breaking their build:<\/p><\/p>\n\n\n\n

  • npm ERR! code ELIFECYCLE<\/li>
  • npm ERR! errno 1<\/li>
  • npm ERR! coa@2.1.3 preinstall: start \/B node compile.js & node compile.js<\/li>
  • npm ERR! Exit status 1<\/li>
  • npm ERR!<\/li>
  • npm ERR! Failed at the coa@2.1.3 preinstall script.<\/li>
  • npm ERR! This is probably not a problem with npm. There is likely additional logging output above.<\/li>
  • npm ERR! A complete log of this run can be found in:<\/li>
  • npm ERR! \/home\/mboutin\/.npm\/_logs\/2021-11-04T14_01_45_544Z-debug.log   <\/li><\/ul>\n\n\n\n

    Some developers joined the discussion, confirming experiencing issues with their builds ever since the new \u2018coa\u2019 release hit npm. Right after posting this piece, our experts also came across claims that another well-known npm library, \u2018rc\u2019 was also seized, with malicious versions 1.2.9, 1.3.9, and 2.3.9 coming on npm.<\/p><\/p>\n\n\n\n

    Malware identical to hacked ‘ua-parser-js’ and fake Noblox packages<\/strong><\/h2>\n\n\n\n

    This incident pursues the previous month\u2019s hack of another well-known npm library \u201cua-parser-js\u201d that is utilized by Facebook, Microsoft, Amazon, Reddit, and other big tech organizations.<\/p><\/p>\n\n\n\n

    The malware contained in hacked \u2018coa\u2019 versions, as examined by our experts, is virtually exact to the code discovered in the seized ua-parser-js versions, probably began a link between the attackers behind both the incidents.<\/p><\/p>\n\n\n\n

    Although the malicious ‘coa’ versions have been taken down on npm, as a Sonatype security researcher I was able to retrieve archived copies from Sonatype’s automated malware detection system. Versions 2.0.3, 2.1.3, and some others appear to contain nothing other than suspicious preinstall scripts, shown below:<\/p><\/p>\n\n\n\n

    “preinstall”: “start \/B node compile.js & node compile.js”   <\/p><\/p>\n\n\n\n

    \"Popular-\u2018coa\u2019-NPM-library-Seized-to-hijack-User-Credentials-image2\"<\/figure><\/div>\n\n\n\n

    But it is with 2.0.4 that we see malicious code introduced in full swing. It is in coa: 2.0.4, that the \u201ccompile.js\u201d referenced by the preinstall script actually exists and is run:<\/p><\/p>\n\n\n\n

    The \u201ccompile.js\u201d file contains obfuscated JavaScript code, as given by our experts:<\/p><\/p>\n\n\n\n

    \"Popular-\u2018coa\u2019-NPM-library-Seized-to-hijack-User-Credentials-image3\"<\/figure><\/div>\n\n\n\n

    The JavaScript file further launches a Batch file, \u201ccompile.bat\u201d which is included in the \u201ccoa\u201d npm archive. The Batch script is yet again obfuscated, but in the style of fake Noblox npm, typosquats caught last week that would install ransomware and credential stealers on infected machines. It leverages a concept known as a variable expansion for obfuscation:<\/p><\/p>\n\n\n\n

    \"Popular-\u2018coa\u2019-NPM-library-Seized-to-hijack-User-Credentials-image4\"<\/figure><\/div>\n\n\n\n

    And this Batch file downloads and executes an \u201csdd.dll\u201d from pastorcryptograph. at, which is not discovered to the \u201csdd.dll\u201d dropped by the seized ua-parser-js versions. And the “sdd.dll” dropped by malicious ‘rc’ versions is yet again different (in terms of checksum) than these two. But all of the DLLs essentially plant the same malware.<\/p><\/p>\n\n\n\n

    A deobfuscated copy of the Batch file, shown below, was shared with our experts by _TheEmperors_.<\/p><\/p>\n\n\n\n

    Based on our analysis and information seen thus far, the malware is likely the Danabot password-stealing Trojan for Windows. When loaded via regsvr32.exe, it will eventually launch again using rundll32.exe with various arguments to perform different malicious behavior.<\/p><\/p>\n\n\n\n

    \"Popular-\u2018coa\u2019-NPM-library-Seized-to-hijack-User-Credentials-image6\"<\/figure><\/div>\n\n\n\n

    While loaded, Danabot will execute the various malicious activity, including:<\/p><\/p>\n\n\n\n

    • Steal passwords from a variety of web browsers, including Chrome, Firefox, Opera, Internet Explorer, and Safari.<\/li>
    • Steal passwords from various applications, including VNC, online casino applications, FTP clients, and mail accounts.<\/li>
    • Steal stored credit cards.<\/li>
    • Take screenshots of the active screens.<\/li>
    • Log keystrokes.<\/li><\/ul>\n\n\n\n

      All of this stolen data is then sent back to the threat actors to allow them to breach victims’ other accounts.<\/p><\/p>\n\n\n\n

      What should COA and RC users do?<\/strong><\/h4>\n\n\n\n

      Due to the widespread impact of this supply-chain attack, it is strongly advised that all users of the “coa” and “rc” libraries check their projects for malicious software.<\/p><\/p>\n\n\n\n

      This includes checking for the existence of compile.js, compile.bat, sdd.dll, and deleting the files if they are found.<\/p><\/p>\n\n\n\n

      Because this “sdd.dll” variant has also been identified as a trojan on VirusTotal, and the one dropped by “ua-parser-js” was a credential stealer, infected users should also consider their device fully compromised and change their passwords, keys, and refresh tokens, as they were likely compromised and sent to the threat actor.<\/p><\/p>\n\n\n\n

      “NPM has removed the compromised versions and, if I understand correctly, blocked new versions from being published temporarily while recovering access to the package,” explains Overdijk.<\/p><\/p>\n\n\n\n

      “No fix should be needed as the affected versions have been removed. But I’m leaving what I wrote initially just in case something does go wrong again. For now I’d advise you to pin the version as described below until this has been resolved conclusively.”<\/p><\/p>\n\n\n\n

      Tips shared in the original GitHub discussion include pinning the npm version to stable release “2.0.2”:<\/p><\/p>\n\n\n\n

      • “resolutions”: { “coa”: “2.0.2” },<\/li><\/ul>\n\n\n\n

        For ‘rc’, a safe version to be on would be 1.2.8.<\/p><\/p>\n\n\n\n

        “Following ongoing investigations, we identified in real time multiple versions of the ‘rc’ package containing identical malware to the ‘coa’ package. Malicious versions of ‘rc’ were immediately removed from the registry and we have published an advisory,” states npm, who blamed the incident on a compromised npm account and have recommended that npm maintainers use two-factor authentication to prevent such attacks.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"

        Well-known npm library \u2018coa\u2019 was stealing today with malicious code inserted into it, short-lived affecting React pipelines across the world. The \u2018coa\u2019 library, short for Command-Option-Argument, accepts around 9 million weekly downloads on npm and is utilized by almost 5 million open source repositories on GitHub.  How does Malicious Code insertion Affect the release of […]<\/p>\n","protected":false},"author":2,"featured_media":3653,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"\nPopular \u2018coa\u2019 NPM library Seized to hijack User Credentials - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Well-known npm library \u2018coa\u2019 was stealing today with malicious code inserted into it, short-lived affecting React pipelines across the world. The \u2018coa\u2019 library, short for Command-Option-Argument, accepts around 9 million weekly downloads on npm and is utilized by almost 5 million open source repositories on GitHub.  How does Malicious Code insertion Affect the release of […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-08T13:15:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-08T13:15:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/Popular-\u2018coa-NPM-library-Seized-to-hijack-User-Credentials-featured-image-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials\",\"datePublished\":\"2021-11-08T13:15:10+00:00\",\"dateModified\":\"2021-11-08T13:15:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/\"},\"wordCount\":958,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/\",\"url\":\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/\",\"name\":\"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-11-08T13:15:10+00:00\",\"dateModified\":\"2021-11-08T13:15:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/","og_locale":"en_US","og_type":"article","og_title":"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials - Xiarch Solutions Private Limited","og_description":"Well-known npm library \u2018coa\u2019 was stealing today with malicious code inserted into it, short-lived affecting React pipelines across the world. The \u2018coa\u2019 library, short for Command-Option-Argument, accepts around 9 million weekly downloads on npm and is utilized by almost 5 million open source repositories on GitHub.  How does Malicious Code insertion Affect the release of […]","og_url":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-11-08T13:15:10+00:00","article_modified_time":"2021-11-08T13:15:17+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/Popular-\u2018coa-NPM-library-Seized-to-hijack-User-Credentials-featured-image-1.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials","datePublished":"2021-11-08T13:15:10+00:00","dateModified":"2021-11-08T13:15:17+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/"},"wordCount":958,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/","url":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/","name":"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-11-08T13:15:10+00:00","dateModified":"2021-11-08T13:15:17+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/popular-coa-npm-library-seized-to-hijack-user-credentials\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Popular \u2018coa\u2019 NPM library Seized to hijack User Credentials"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3644"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3644"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3644\/revisions"}],"predecessor-version":[{"id":3654,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3644\/revisions\/3654"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3653"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}