Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were hacked due to stolen npm tokens, resulting in the release of malicious versions that installed cryptominers. This supply chain attack, identified by researchers from Sonatype and Socket, deployed the XMRig miner to secretly mine Monero cryptocurrency on affected systems. The compromised code hid in specific JavaScript files, exploiting npm’s installation process to execute automatically. Both Rspack and Vant have since acknowledged the breach, releasing clean versions and urging users to upgrade to avoid the malicious packages. This incident highlights the ongoing risks associated with supply chain vulnerabilities in software development. Users are advised to avoid specific compromised versions and update to the latest safe releases.
In a concerning supply chain attack, three widely used npm packages—@rspack/core, @rspack/cli, and Vant—were compromised after hackers stole npm account tokens. As a result, malicious versions of these packages were published, which installed cryptominers on unsuspecting users’ systems. This incident has raised alarms in the development community about security vulnerabilities in widely trusted packages.
According to security researchers from Sonatype and Socket, the attackers used these packages to deploy the XMRig cryptocurrency miner, which targets the Monero cryptocurrency. All three npm packages were affected on the same day, impacting various versions in use. Rspack, known for its high-performance JavaScript bundler built in Rust, is downloaded around 394,000 times weekly, while its CLI version has about 145,000 downloads. The Vant package, popular for building mobile web applications, sees around 46,000 weekly downloads.
Details of the Attack
The malicious code was embedded in specific files within the packages: ‘support.js’ in @rspack/core and ‘config.js’ in @rspack/cli. This code fetches instructions from an external server and executes upon installation through npm’s postinstall script. Once activated, it collects information about the victim’s system, including geographic location and IP address, which can be used for targeted attacks later. The XMRig miner is covertly downloaded and disguised as a harmless file within the system, complicating detection efforts.
The attack also highlights a broader issue, with similar compromises affecting other platforms, including LottieFiles and Ultralytics, which have led to unauthorized cryptocurrency mining operations. Such incidents reveal the growing threat of supply chain attacks in the software development landscape.
Response from Developers
In response to the breach, Rspack and Vant quickly confirmed the compromise of their npm accounts and took immediate action to release clean versions of their packages. Rspack developers noted that the compromised version to avoid is 1.1.7, while users are encouraged to upgrade to version 1.1.8 or later, which includes security fixes. Vant users should disregard versions 2.13.3 through 4.9.14, upgrading instead to Vant version 4.9.15 or newer.
This incident serves as a reminder of the importance of cybersecurity in software development. Users are advised to be vigilant when installing packages and regularly update to the latest secure versions to protect against similar threats in the future.
What is Malicious Rspack and Vant?
Malicious Rspack and Vant are software packages that were published on the NPM (Node Package Manager) using stolen access tokens. This means that someone used other people’s login details to create and share these harmful packages.
How do these packages harm users?
These packages can introduce harmful code into your projects. They might steal data, allow unauthorized access, or even corrupt your files. Using such packages can cause serious security issues for developers and their applications.
How can I protect myself from these packages?
To stay safe, always check the source of any NPM package before using it. Look for reviews and the package’s download history. Make sure to use security tools that can scan for malicious code in your dependencies.
What should I do if I used these packages?
If you realize you’ve used Malicious Rspack or Vant, the first step is to remove them immediately. Then, change your NPM access tokens and audit your projects for any suspicious activity. It’s also a good idea to update your security practices.
Where can I find more information about NPM security?
You can find a lot of helpful information on NPM’s official website. They provide resources on security best practices, how to spot malicious packages, and ways to secure your tokens and data.
