Dec 20, 2024Ravie LakshmananMalware / Supply Chain Attack

The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware.

Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8.

“They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts,” software supply chain security firm Socket said in an analysis.

Rspack is billed as an alternative to the webpack, offering a “high performance JavaScript bundler written in Rust.” Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.

The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145,000, respectively, indicative of their popularity.

An analysis of the rogue versions of the two libraries has revealed that they incorporate code to make calls to a remote server (“80.78.28[.]72”) in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to “ipinfo[.]io/json.”

In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.

The end goal of the attacks is to trigger the download and execution of an XMRig cryptocurrency miner on compromised Linux hosts upon installation of the packages by means of a postinstall script specified in the “package.json” file.

“The malware is executed via the postinstall script, which runs automatically when the package is installed,” Socket said. “This ensures the malicious payload is executed without any user action, embedding itself into the target environment.”

Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities. An investigation into the root cause of the token theft is underway.

“This attack highlights the need for package managers to adopt stricter safeguards to protect developers, like enforcing attestation checks, to prevent updating to unverified versions,” Socket said. “But it’s not totally bullet-proof.”

“As seen in the recent Ultralytics supply chain attack in the Python ecosystem, attackers may still be able to publish versions with attestation by compromising GitHub Actions through cache poisoning.”