Alert: Popular NPM Packages Hijacked to Deploy Crypto Miners in Major Supply Chain Attack

Alert: Popular NPM Packages Hijacked to Deploy Crypto Miners in Major Supply Chain Attack

NPM Packages Hit by Cryptomining Supply Chain Attack

Three widely-used npm packages – @rspack/core, @rspack/cli, and Vant – were compromised in a sophisticated supply chain attack. The incident, detected by Sonatype and Socket researchers, involved threat actors using stolen npm account tokens to publish malicious versions that deployed XMRig cryptocurrency miners.

Impact and Affected Packages:
– Rspack (a high-performance JavaScript bundler): Core and CLI components compromised, affecting 394,000 and 145,000 weekly downloads respectively
– Vant (Vue.js UI library): Impacting 46,000 weekly downloads

Technical Details:
– Malicious code embedded in ‘support.js’ (@rspack/core) and ‘config.js’ (@rspack/cli)
– Automatic execution through npm’s postinstall script
– XMRig miner deployment for Monero cryptocurrency mining
– CPU usage limited to 75% to avoid detection
– Reconnaissance capabilities gathering system location and network details

Compromised Versions:
Rspack: Version 1.1.7
Vant: Versions 2.13.3-5, 3.6.13-15, 4.9.11-14

Remediation:
– Rspack users should upgrade to v1.1.8 or later
– Vant users should update to v4.9.15 or newer
– Both development teams have revoked compromised tokens and implemented additional security measures

The incident highlights the ongoing risks in the software supply chain, following similar recent attacks on platforms like LottieFiles and Ultralytics.

Share This Article