Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Avatar
The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware. Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest

The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware.

Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8.

“They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts,” software supply chain security firm Socket said in an analysis.

Rspack is billed as an alternative to the webpack, offering a “high performance JavaScript bundler written in Rust.” Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.

The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145,000, respectively, indicative of their popularity.

An analysis of the rogue versions of the two libraries has revealed that they incorporate code to make calls to a remote server (“80.78.28[.]72”) in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to “ipinfo[.]io/json.”

In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.

The end goal of the attacks is to trigger the download and execution of an XMRig cryptocurrency miner on compromised Linux hosts upon installation of the packages by means of a postinstall script specified in the “package.json” file.

“The malware is executed via the postinstall script, which runs automatically when the package is installed,” Socket said. “This ensures the malicious payload is executed without any user action, embedding itself into the target environment.”

Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities. An investigation into the root cause of the token theft is underway.

“This attack highlights the need for package managers to adopt stricter safeguards to protect developers, like enforcing attestation checks, to prevent updating to unverified versions,” Socket said. “But it’s not totally bullet-proof.”

“As seen in the recent Ultralytics supply chain attack in the Python ecosystem, attackers may still be able to publish versions with attestation by compromising GitHub Actions through cache poisoning.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Chainalysis: $2.2 billion stolen from crypto platforms in 2024 cyberattacks

Next Post

Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware

Related Posts

New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

Cybersecurity researchers have flagged a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a stealer malware called RustyStealer. "Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness," Russian cybersecurity vendor Kaspersky said. "Threat actors leveraged an unconventional blend
Avatar
Read More