On December 20, 2024, the developers of Rspack disclosed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a supply chain attack. Malicious versions containing cryptocurrency mining malware were published to the npm registry after an attacker gained unauthorized publishing access. The affected versions, 1.1.7, have been removed, with 1.1.8 now considered safe. The malware collects sensitive information and targets users in specific countries. To mitigate the impact, Rspack’s maintainers invalidated all existing npm and GitHub tokens and are investigating the breach. This incident emphasizes the importance of stronger security measures for package managers to protect developers from such attacks.
Rspack, a popular JavaScript bundler, has fallen victim to a serious software supply chain attack. Two of its npm packages, @rspack/core and @rspack/cli, were compromised. Malicious updates containing cryptocurrency mining malware were published to the official npm registry.
This breach was uncovered recently, leading to the urgent unpublishing of the compromised versions (1.1.7). The only safe version available is now 1.1.8. The attack occurred because an unauthorized actor gained npm publishing access and injected harmful scripts into these packages.
According to cybersecurity firm Socket, the malicious versions connect to a remote server to extract sensitive information, including cloud service credentials, and gather user location details. Strikingly, the malware targets specific countries such as China, Russia, and Iran, aiming to install an XMRig cryptocurrency miner on vulnerable Linux systems.
Rspack, developed as a fast alternative to Webpack, has gained significant traction, with @rspack/core and @rspack/cli receiving over 300,000 and 145,000 downloads weekly, respectively. This popularity makes them attractive targets for attackers.
The situation underscores an urgent need for enhanced security measures in package management. Rspack maintainers have since invalidated all old npm and GitHub tokens, reviewed permissions on their repositories, and are actively investigating how their tokens were compromised.
As the risk of supply chain attacks continues to grow, developers must remain vigilant and ensure they are using verified packages. This incident serves as a reminder of the critical importance of security in software development.
What happened with the Rspack npm packages?
Recently, some Rspack npm packages were discovered to be compromised. They contained crypto mining malware, meaning they could secretly use your computer’s resources to mine cryptocurrencies.
What is a supply chain attack?
A supply chain attack is when hackers target software and packages used in development. They manipulate these tools to introduce malware, which then affects users who download or use them unknowingly.
How do I know if I have the compromised Rspack packages?
To check if you have the affected Rspack packages, look for the versions listed in security reports. If you have any of these versions, you should update immediately to a safe version as recommended.
What should I do if I’m affected?
If you’re affected, the first step is to remove the compromised packages from your project. Next, update to the latest secure versions. Also, consider running a security scan on your system to ensure no additional malware is present.
How can I protect myself from future attacks?
To protect yourself, always keep your packages updated. Use trusted sources for your npm packages. Setting up security tools to monitor your projects can also help catch malicious changes quickly. Regularly review your dependencies and their sources to avoid risks.
