The maintainers of Rspack have disclosed a security breach impacting two of their npm packages, @rspack/core and @rspack/cli, in a software supply chain attack. This incident enabled a threat actor to upload compromised versions of the packages to the npm registry, embedding cryptocurrency mining malware.
Following the breach’s detection, the malicious versions, 1.1.7, were promptly removed from the npm registry. Developers are advised to update to the latest secure release, version 1.1.8.
“These versions were uploaded by an unauthorized entity who gained illicit npm publishing access, embedding harmful scripts,” noted software supply chain security firm Socket in its investigation.
Rspack, positioned as a performance-driven alternative to webpack, is a JavaScript bundler written in Rust. Initially created by ByteDance, it has gained significant adoption from prominent organizations, including Alibaba, Amazon, Discord, and Microsoft.
The compromised packages, @rspack/core and @rspack/cli, are widely used, boasting weekly downloads exceeding 300,000 and 145,000, respectively—an indication of their widespread reliance within the development community.
Malware Behavior and Attack Analysis
An in-depth examination of the tainted versions revealed embedded code designed to contact a remote server at “80.78.28[.]72”. This malicious code collects sensitive configuration data, such as cloud service credentials, alongside IP address and geographic location information via requests to “ipinfo[.]io/json”.
Interestingly, the attack restricts its scope, targeting machines outside specific countries, including China, Russia, Hong Kong, Belarus, and Iran. The operation’s ultimate objective is to download and execute the XMRig cryptocurrency miner on compromised Linux environments. This is achieved through a postinstall script embedded in the package.json file, which automatically executes upon package installation.
“The malware leverages the postinstall script to seamlessly execute its payload during installation, embedding itself into the victim’s environment without requiring additional user interaction,” Socket explained.
Mitigation and Preventative Actions
In response to the incident, the Rspack team has released cleaned versions of the packages and implemented robust security measures. These include:
- Revocation of npm and GitHub tokens to prevent further unauthorized access.
- Audit of repository and package permissions to identify vulnerabilities.
- Thorough review of source code to ensure no lingering threats exist.
Efforts to trace the origin of the stolen credentials remain ongoing.
A Wake-Up Call for Enhanced Safeguards
This incident underscores the urgency for package managers to adopt stricter security protocols, such as enforcing attestation checks, to curb the proliferation of malicious packages. However, as Socket pointed out, even such measures are not infallible.
“The recent Ultralytics supply chain attack in the Python ecosystem illustrates how attackers can exploit vulnerabilities, like cache poisoning in GitHub Actions, to bypass safeguards,” the analysis noted.
Developers and organizations relying on open-source dependencies must exercise heightened vigilance and adhere to best practices to mitigate risks posed by evolving supply chain threats.