Rspack npm packages compromised by cryptocurrency mining malware in supply chain attack

December 20, 2024Ravi LakshmananMalware/supply chain attack

Rspack developers have revealed that two of their npm packages, @rspack/core and @rspack/cliwas compromised in a software supply chain attack that allowed a malicious actor to deploy malicious versions to the official package registry using cryptocurrency mining malware.

after discoveryVersions 1.1.7 of both libraries have been unpublished from the npm registry. The latest secure version is 1.1.8.

“It was released by an attacker who gained unauthorized deployment access to npm, and contains malicious scripts,” software supply chain security firm Socket said. He said In the analysis.

RSPAC It is described as an alternative to webpackoffers “a high-performance JavaScript package written in Rust.” Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, Microsoft, and others.

The npm packages in question, @rspack/core and @rspack/cli, attract weekly downloads of over 300,000 and 145,000 respectively, demonstrating their popularity.

An analysis of rogue versions of both libraries revealed that they include code to make calls to a remote server (“80.78.28″[.]72”) in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to “ipinfo[.]io/json.”

In an interesting development, the attack also limits infection to devices located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.

The ultimate goal of the attacks is to trigger the download and execution of the XMRig cryptocurrency miner on compromised Linux hosts when packages are installed via a post-installation script specified in the “package.json” file.

“The malware is executed via a post-installation script, which runs automatically when the package is installed,” Sockett said. “This ensures that the malicious payload is executed without any action on the part of the user, and integrates itself into the targeted environment.”

Besides publishing a new version of the two packages without malicious code, the project said they have revoked all existing npm code and GitHub code, checked the permissions of the repository and npm packages, and reviewed the source code for any potential security vulnerabilities. The root cause of the token theft is being investigated.

“This attack highlights the need for package managers to adopt more stringent safeguards to protect developers, such as enforcing certificate checks, to prevent updating to unverified versions,” Sockett said. “But it’s not completely bulletproof.”

“As we have seen recently Ultralytics supply chain attack In the Python ecosystem, attackers may still be able to publish versions with authentication by compromising GitHub actions through cache poisoning.