Rspack npm Packages Compromised in Supply Chain Attack with Crypto Mining Malware

Categories: Malware / Supply Chain Attack

In a concerning development, two npm packages maintained by Rspack, namely @rspack/core and @rspack/cli, have been compromised in a software supply chain attack. This breach allowed a threat actor to upload malicious versions of these packages containing cryptocurrency mining malware to the npm registry.

What Happened?

The compromised versions, 1.1.7, were quickly identified and removed from the npm registry. The maintainers have since published a clean, safe version, 1.1.8.

According to Socket, a software supply chain security firm, the attacker gained unauthorized access to Rspack's npm publishing credentials and embedded malicious scripts within the affected packages.

About Rspack

Rspack, developed in Rust, is marketed as a high-performance JavaScript bundler and an alternative to webpack. Initially created by ByteDance, Rspack has garnered adoption by tech giants like Alibaba, Amazon, Discord, and Microsoft, highlighting its importance in the software development ecosystem.

The npm packages in question, @rspack/core and @rspack/cli, are widely used, with the former boasting over 300,000 weekly downloads and the latter exceeding 145,000 weekly downloads.

Malware Analysis

The rogue versions of these packages contained code designed to:

• Exfiltrate sensitive data: The malicious code connected to a remote server at 80.78.28[.]72, transmitting information such as cloud service credentials, IP addresses, and location data.
• Target specific regions: Interestingly, the malware excluded machines in certain countries, including China, Russia, Hong Kong, Belarus, and Iran, suggesting a selective approach by the attackers.
• Execute cryptocurrency mining malware: The attack leveraged a postinstall script in the package.json file to automatically download and execute an XMRig cryptocurrency miner on compromised Linux hosts without user intervention.

How It Worked

The malicious payload was activated through the postinstall script, which runs automatically when an npm package is installed. This mechanism allowed the attackers to embed and execute the malware silently within the target environment.

Rspack’s Response

In response to the incident, the Rspack team has taken the following measures:

• Published clean versions of the affected packages.
• Revoked all npm and GitHub tokens to prevent further unauthorized access.
• Conducted a thorough audit of the source code and repository permissions.
• Initiated an investigation into how the tokens were stolen.

The Bigger Picture

This attack underscores the critical need for stronger safeguards within software ecosystems to prevent supply chain breaches. According to Socket:

 

"Package managers must implement stricter protections, such as enforcing attestation checks, to ensure only verified versions are updated. However, even these measures are not foolproof."

The recent Ultralytics supply chain attack in the Python ecosystem illustrates this point, as attackers exploited GitHub Actions cache poisoning to bypass security measures and upload compromised packages.

Key Takeaways

This incident highlights the growing threat of supply chain attacks and the need for developers to remain vigilant:

• Always verify the integrity of the packages you install.
• Regularly update to the latest, trusted versions.
• Use advanced security tools to monitor for potential threats in your software dependencies.

For organizations, enforcing robust token management policies and adopting security frameworks like zero-trust architecture can help mitigate risks posed by such attacks.

Stay Informed: Follow our blog for the latest updates on cybersecurity threats and solutions.