The Rspack developers revealed that two of their npm packages, @rspack/core and @rspack/cliwere compromised in a software supply chain attack that allowed an attacker to publish malicious versions to the official cryptocurrency mining malware package registry.
After discoveryversions 1.1.7 of both libraries have been removed from the npm registry. The latest secure version is 1.1.8.
“They were released by an attacker who gained unauthorized access to an npm post and contain malicious scripts,” according to software security firm Socket. said in the analysis.
Rspack considered as an alternative webpackoffering “a high-performance JavaScript compiler written in Rust.” Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.
The npm packages in question, @rspack/core and @rspack/cli, have over 300,000 and 145,000 weekly downloads respectively, which is a testament to their popularity.
Analysis of the fake versions of the two libraries revealed that they include code to make calls to a remote server (“80.78.28(.)72”) to pass sensitive configuration details, such as cloud service credentials, as well as collect IP details -address and location by making an HTTP GET request to “ipinfo(.)io/json”.
In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus and Iran.
The ultimate goal of the attacks is to trigger the XMRig cryptocurrency miner to download and execute on compromised Linux hosts after installing packages using a post-installation script specified in the “package.json” file.
“The malware is launched via a post-installation script that runs automatically when the package is installed,” Sockett said. “This ensures that the malicious payload executes without any user action, embedding itself in the target environment.”
In addition to publishing a new version of the two packages without the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the npm repository and packages, and checked the source code for any potential vulnerabilities. The root cause of the token theft is under investigation.
“This attack highlights the need for package managers to take stronger security measures to protect developers, such as enforcing attestation checks to prevent updates to unverified versions,” Sockett said. “But it’s not exactly bulletproof.”
“As can be seen in the recent Attack on Ultralytics supply chain in the Python ecosystem, attackers can still publish attested versions by hacking GitHub Actions via cache poisoning.”
