Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner

December 25, 2024 Blockgates Monero Comments Off on Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner

KEY SUMMARY POINTS

  • Compromised npm Packages: On December 20, 2024, attackers used a hijacked npm token to compromise popular npm packages @rspack/core, @rspack/cli, and “vant,” injecting malicious code into their updates.
  • Monero Miner Deployed: The malicious code, hidden in obfuscated scripts, deployed the XMRig Monero cryptocurrency miner, connecting to an external server and mining for the attackers.
  • Automated Detection: Sonatype’s malware detection systems quickly identified and blocked the malicious versions, protecting users through the Nexus Repository Firewall.
  • Patches Released: Both Rspack and Vant addressed the breach by releasing clean updates (Rspack v1.1.8 and Vant v4.9.15) and implementing enhanced security measures.
  • Open Source Risks Highlighted: Sonatype reports that 98.5% of open-source malware targets npmjs.com, emphasizing the need for regular updates, patches, and proper security solutions.

Software supply chain management platform Sonatype’s latest research shared with Hackread.com, reveals that on December 20, 2024, popular npm packages @rspack/core and @rspack/cli were compromised by attackers who accessed a compromised npm token. 

According to Sonatype’s blog post, these attackers then published malicious versions (1.1.7) of these packages. Sonatype’s automated malware detection systems quickly caught these malicious versions and blocked them for users using Nexus Repository Firewall.

In addition to these packages, Sonatype’s deep binary analysis technology also discovered another compromised npm package, “vant“. Several newer versions of “vant” exhibited signs of compromise and were subsequently blocked. Researchers suspect a common threat actor is responsible for both attacks that occurred on the same day.

Hijacked via Compromised npm Tokens

Sonatype’s automated malware detection systems identified the malicious versions (1.1.7) of @rspack/core and @rspack/cli shortly after they were published to the npmjs.com registry. For your information, Rspack is a popular JavaScript bundler written in Rust, and its npm packages are widely used. @rspack/core receives close to 394,000 downloads weekly, and @rspack/cli gets more than 145,000 downloads per week.

Further probing revealed that the malicious versions of these packages contained heavily obfuscated code in the dist/utils/config.js file. This code had no apparent purpose and was not present in previous versions.

Code Runs Monero Crypto Miner

The obfuscated code deployed a known Monero miner “XMRig” on the target system. This miner mines cryptocurrency for the attacker. The code also attempts to connect to the address hxxps://80.78.2872/tokens. A Monero address present in the code likely gathers the mined XMR. However, not much activity was associated with the address at the time of writing.

Vant Package Also Compromised

Sonatype researchers Jeff Thornhill and Adam Reynolds’ investigation discovered several compromised versions of the “vant” package. It is worth noting that Vant is a popular lightweight Vue UI library for mobile web apps, and it receives approximately 46,000 downloads every week on npmjs.com. The compromised versions of “vant” include: 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, and 4.9.14.

Via Sonatype

Patch Available

Both Rspack and Vant quickly addressed the compromise and released patches. Rspack released version 1.1.8, which is free of malicious code. Vant released an update with version 4.9.15, which also addresses the security issue.

Both also issued statements regarding the compromise. Rspack Project apologized for the risks caused by this incident, pledging that they “will implement stricter token management protocols and enhance our security review processes.” Conversely, Vant confirmed that they “have taken measures to fix it and re-released the latest version.”.

Sonatype’s 2024 Open Source Malware report reveals that 98.5% of open-source malware is published on the npmjs.com registry, making it a popular target for attackers. To stay safe, keep software updated, apply patches from Rspack and Vant, and use reliable security solutions to detect malware in open-source packages.

  1. NPM Typosquatting Deploys r77 Rootkit via Legitimate Package
  2. PyPI Malware Poses as Crypto Wallet Tools to Steal Private Keys
  3. “aiocpa” Python Package Exposed as Cryptocurrency Infostealer
  4. Luna Grabber Malware Hits Roblox Devs Through npm Packages
  5. Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine