Three widely-used npm packages – @rspack/core, @rspack/cli, and Vant – were compromised in a sophisticated supply chain attack. The incident, detected by Sonatype and Socket researchers, involved threat actors using stolen npm account tokens to publish malicious versions that deployed XMRig cryptocurrency miners.
Impact and Affected Packages:
– Rspack (a high-performance JavaScript bundler): Core and CLI components compromised, affecting 394,000 and 145,000 weekly downloads respectively
– Vant (Vue.js UI library): Impacting 46,000 weekly downloads
Technical Details:
– Malicious code embedded in ‘support.js’ (@rspack/core) and ‘config.js’ (@rspack/cli)
– Automatic execution through npm’s postinstall script
– XMRig miner deployment for Monero cryptocurrency mining
– CPU usage limited to 75% to avoid detection
– Reconnaissance capabilities gathering system location and network details
Compromised Versions:
Rspack: Version 1.1.7
Vant: Versions 2.13.3-5, 3.6.13-15, 4.9.11-14
Remediation:
– Rspack users should upgrade to v1.1.8 or later
– Vant users should update to v4.9.15 or newer
– Both development teams have revoked compromised tokens and implemented additional security measures
The incident highlights the ongoing risks in the software supply chain, following similar recent attacks on platforms like LottieFiles and Ultralytics.