A significant security breach has been discovered in two widely-used npm packages from Rspack: @rspack/core and @rspack/cli. The compromised version 1.1.7 of both packages contained cryptocurrency mining malware, prompting their immediate removal from the npm registry.
Rspack, a high-performance JavaScript bundler written in Rust and developed by ByteDance, has gained substantial adoption among major tech companies including Alibaba, Amazon, Discord, and Microsoft. The affected packages boast impressive weekly download numbers, with @rspack/core reaching 300,000 and @rspack/cli exceeding 145,000 downloads.
The malicious code embedded in these packages performed several suspicious activities:
– Connected to a remote server (80.78.28.72)
– Transmitted sensitive cloud service credentials
– Collected IP addresses and location data via ipinfo.io
– Targeted specific countries including China, Russia, Hong Kong, Belarus, and Iran
– Deployed XMRig cryptocurrency miner on Linux systems through postinstall scripts
In response to the breach, Rspack’s team has:
– Released version 1.1.8 as the latest safe version
– Invalidated all npm and GitHub tokens
– Reviewed repository permissions
– Conducted thorough source code audits
Security firm Socket emphasized the need for stronger package manager safeguards, such as attestation checks, while noting that even these measures may not provide complete protection against sophisticated attacks targeting software supply chains.