Overview of the Rspack Compromise
Recently, Rspack faced a huge security issue related to two of their npm packages, namely @rspack/core and @rspack/cli. It appears that some evil doer hacked into the npm registry and published versions of those packages that contained the cryptocurrency mining malcode in them.
Details of the Attack
Compromised Versions
| Package Name | Compromised Versions | Current Safe Version |
|---|---|---|
| @rspack/core | 1.1.7 | 1.1.8 |
| @rspack/cli | 1.1.7 | 1.1.8 |
Certain malicious scripts intrude into systems and extract sensitive information as cloud service credentials, rendering it onto a specific outside entity server. The remote server’s address is “80.78.28[.]72. In addition, the attack gathers IP addresses and location details by querying “ipinfo[.]io/json.”
Geographical Targeting
Payload Execution
The payload does not seem to operate in every part of the world but only in specific countries such as China, Russia, Hong Kong, Belarus, and Iran, suggesting not general end-users, but selective targets.
The malignant packages then install an XMRig cryptocurrency miner on the compromised Linux hosts through a postinstall script contained in their “package.json”; all of this happens automatically upon installing the packages.
Steps to Remediate
Certain action was taken by the Rspack maintainers for mitigation from such type of attacks:
- Invalidation of all existing npm and GitHub tokens.
- Inspection of repository and npm packages Access Privileges.
- The source code was audited for vulnerabilities.
- A new version of the packages without the malicious code was developed.
Additional Threats: The Vant Package
The supply chain assault has gone beyond Rspack, targeting a different npm package named vant. The malicious threat actors managed to publish several compromised versions with known vulnerabilities:
| Package Name | Compromised Versions | Latest Secure Version |
|---|---|---|
| vant | 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, 4.9.14 | Latest Version Released |
He said that the compromise resulted from a stolen npm token, and that they have taken corrective measures to fix the flaw and released an updated version.
The incident of Rspark emphasizes the increased need for a security enhancement in the package configuration and distribution systems. There is a demand for stricter such measures, attestation checks, and prevention from inadvertent fraud.