Recently, the developers behind the Rspack project revealed that two of their popular npm packages, @rspack/core and @rspack/cli (npm, or Node Package Manager, is a tool used to manage JavaScript libraries and packages), had been compromised in a supply chain attack. An attacker gained unauthorized access to the npm publishing process, releasing malicious versions of these packages that contained cryptocurrency mining malware. The malware, specifically XMRig (an open-source software used to mine Monero, a privacy-focused cryptocurrency),was designed to target specific countries and install the miner on vulnerable Linux systems, using the system’s CPU power to mine cryptocurrency without users' knowledge.
What Happened?
On December 20, 2024, hackers gained unauthorized access to npm publishing by stealing npm publishing credentials, specifically npm tokens, which are used to authenticate and authorize the publishing of packages to the npm registry. Using these stolen tokens, the attackers published malicious versions of several npm packages, including @rspack/core and @rspack/cli, embedding XMRig. The malware then connected to an external server to mine cryptocurrency for the attackers, infecting compromised systems.
Thankfully, Sonatype’s automated malware detection systems quickly identified and blocked these malicious versions using the Nexus Repository Firewall, preventing further harm to users.
In addition to the Rspack packages, Sonatype's advanced binary analysis technology also detected a third compromised npm package, "Vant". Just like Rspack, the attackers used a stolen npm token from one of Vant's maintainers to publish several malicious versions of the package. These versions contained security vulnerabilities, affecting thousands of users. Since both attacks occurred on the same day, researchers believe they may have been carried out by the same threat actor.
Conclusion
In response to the attack, both Rspack and Vant maintainers acted quickly. They removed the compromised versions and released secure updates (Rspack v1.1.8 and Vant v4.9.15), which addressed the security issues. Both projects issued statements of apology and introduced stricter token management protocols to prevent future breaches.
This incident serves as a stark reminder of the increasing risks posed by supply chain attacks, which have become more prevalent in recent years. It underscores the critical need to secure npm publishing credentials and other access points that could be exploited by malicious actors. As developers and organizations rely more on open-source packages, the security of these tools becomes paramount to protecting sensitive data and maintaining trust in the ecosystem.
At Skyriver IT, we understand the evolving landscape of cybersecurity threats and are committed to ensuring that your business infrastructure remains secure and up to date. Our team specializes in implementing robust security measures and proactive solutions that safeguard your systems against potential vulnerabilities. With our expertise, you can have peace of mind knowing your IT environment is in safe hands, allowing you to focus on growing your business and doing what you do best. Contact us today!
