Malicious Rspack and Vant Packages Target Users with Stolen NPM Tokens. Here is a quick look at what to know

Vant

Malicious Rspack and Vant Packages Target Users with Stolen NPM Tokens. Here is a quick look at what to know

In a recent cybersecurity incident, attackers compromised three popular npm packages—@rspack/core, @rspack/cli, and Vant—using stolen npm account tokens. This allowed them to publish malicious versions of these packages, which installed cryptominers on compromised systems.

Codes_Server_Chromebook_Masahiko_Ohkubo-1024x768-1 Malicious Rspack and Vant Packages Target Users with Stolen NPM Tokens. Here is a quick look at what to know

Detection and Details

The attack was detected by researchers from Sonatype and Socket, who found that the malicious code was hidden inside the support.js file of @rspack/core and the config.js file of @rspack/cli. The attackers used npm’s postinstall script to automatically execute the malicious code upon package installation. Once running, the malware retrieved the geographic location and network details of the victim’s system.

Malicious Downloads

The compromised versions of @rspack/core and @rspack/cli were downloaded 394,000 and 145,000 times weekly, respectively. The Vant package, a lightweight, customizable Vue.js UI library, was downloaded 46,000 times weekly. The attackers used the XMRig cryptocurrency miner to mine Monero, a privacy-focused cryptocurrency.

Response and Remediation

Upon discovering the compromise, both Rspack and Vant released new, cleaned versions of their packages and apologized to the community for failing to safeguard the supply chain. The Rspack developers explained that one of their team members’ npm tokens was stolen and used to release multiple versions with security vulnerabilities.

Versions to Avoid

The compromised versions of Rspack to avoid are 1.1.7, while for Vant, users should avoid versions 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, and 4.9.14. Users are recommended to upgrade to Rspack v1.1.8 or later and Vant v4.9.15.

Conclusion

This incident highlights the growing threat of cryptomining attacks targeting open-source packages. It serves as a reminder of the importance of safeguarding account tokens and regularly updating software to protect against such vulnerabilities.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment