npm packages from Rspack, Vant compromised, blocked by Sonatype

Two popular npm packages, @rspack/core and @rspack/cli, were hijacked using a compromised npm token, leading to the release of malicious versions. The incident was detected by Sonatype’s automated systems, which also identified similar compromises in the “vant” package. Users are urged to upgrade to secure versions to avoid potential risks. #npmSecurity #Malware #OpenSource

Keypoints :

  • Compromised npm token led to the release of malicious versions 1.1.7 of @rspack/core and @rspack/cli.
  • Sonatype’s automated malware detection systems blocked the malicious packages.
  • Obfuscated code in the malicious versions runs a Monero crypto miner.
  • Another package, “vant,” was also found to be compromised with similar malicious activity.
  • Users are encouraged to upgrade to secure versions to mitigate risks.

MITRE Techniques :

  • TA0001 – Initial Access: Compromised npm token used to publish malicious versions.
  • TA0002 – Execution: Obfuscated code executes a Monero miner on the target system.
  • TA0003 – Persistence: Malicious code attempts to establish a connection to a remote server.

Indicator of Compromise :

  • [URL] hxxps://80.78.28[.]72/tokens
  • [Monero Address] 475NBZygwEajj4YP2Bdu7yg6XnaphiFjxTFPkvzg5xAjLGPSakE68nyGavn8r1BYqB44xTEyKQhueeqAyGy8RaYc73URL1j
  • [File Name] config.js (in @rspack/cli and support.js in Vant)
  • [File Hash] SHA1: b64365f2f09a2cb578407acc8533764ed11536db
  • [File Hash] MD5: a29d596bef840c3c5a708133a0a27472
  • Check the article for all found IoCs.

Fairly popular npm packages, @rspack/core and @rspack/cli were hijacked yesterday after attackers got their hands on a compromised npm token and published malicious versions 1.1.7 of these projects. These versions were promptly caught by Sonatype’s automated malware detection systems and blocked for our customers using Nexus Repository Firewall.

Additionally, our deep binary analysis technology identified another npm package, “vant,” several newer versions of which showed identical signs of compromise and were blocked. We suspect a common threat actor being behind both the incidents that took place the same day.

Hijacked via compromised npm tokens

Sonatype’s automated malware detection systems raised alarms yesterday shortly after versions 1.1.7 of npm projects @rspack/core and @rspack/cli were published to the npmjs.com registry, the world’s largest JavaScript registry.

Rspack is a high performance JavaScript bundler written in Rust. Its npm projects are fairly popular, with @rspack/core scoring close to 394,000 downloads weekly and @rspack/cli more than 145,000.

Responding to the alert, Sonatype researchers Jeff Thornhill and Adam Reynolds immediately jumped on the investigation to determine the root cause of the alarm. The reason? The version 1.1.7 of these packages, unlike the previous ones, contained heavily obfuscated code a few directories down, in the dist/utils/config.js file, without any obvious use cases or explicable reasoning:

Runs a Monero crypto miner

The obfuscated code deploys a known Monero miner “XMRig” on the target system to produce cryptocurrency assets for the attacker, explained Reynolds:

screenshot_2024-12-19_at_3.37.24___pm

Additionally, the code attempts to establish a connection to the address hxxps://80.78.28[.]72/tokens.

The following Monero address present in the code is potentially used to gather the mined XMR, although at the time of writing we could not find much activity associated with the address. This is further compounded by the fact that Monero transactions are confidential and untraceable.

475NBZygwEajj4YP2Bdu7yg6XnaphiFjxTFPkvzg5xAjLGPSakE68nyGavn8r1BYqB44xTEyKQhueeqAyGy8RaYc73URL1j

Vant package also compromised

The human research efforts, combined with Sonatype’s deep binary analysis technology, led us to discover and block several versions of another package “vant” that had been affected alongside as well in an identical attack.

Vant is a “lightweight, customizable Vue UI library for mobile web apps,” that receives approximately 46,000 downloads every week on npmjs.com.

The compromised versions of “vant” include: 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, 4.9.14.

Both projects quickly detected the compromise and acknowledged the attack, encouraging users to refrain from using compromised versions and upgrading to a safer one.

Release notes for Rspack 1.1.8 version state:

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens.
Subsequently, we released a secure new version v1.1.8.

Users are encouraged to upgrade to version 1.1.8 and thoroughly scan their systems for any signs of compromise.

“We deeply apologize for the risks caused by this incident,” states the Rspack project. “To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.”

Vant issued a similar update with its safe release v4.9.15 which users are encouraged to upgrade to:

“This release is to fix a security issue,” states the release notes for v4.9.15. “We found that one of our team members’ npm token was stolen and used to release multiple versions with security vulnerabilities. We have taken measures to fix it and re-released the latest version.”

Indicators of Compromise (IOCs)

  • IP address / URL(s): hxxps://80.78.28[.]72/tokens
  • Monero (XMR) address:
    475NBZygwEajj4YP2Bdu7yg6XnaphiFjxTFPkvzg5xAjLGPSakE68nyGavn8r1BYqB44xTEyKQhueeqAyGy8RaYc73URL1j
  • “config.js” in @rspack/cli (which exists as “support.js” in Vant and @rspack/core)
    • SHA1: b64365f2f09a2cb578407acc8533764ed11536db
    • MD5: a29d596bef840c3c5a708133a0a27472

Leave Open Source Malware protection to the experts

Sonatype’s 2024 Open Source Malware report highlights that 98.5% of all open source malware discovered by us was published in the npmjs.com registry, which remains a prominent choice among threat actors looking to push their malicious artifacts downstream to millions.

In October, npm project Lottie Player was compromised in a supply chain attack which potentially cost over $723,000 in financial losses to at least one entity. Attackers 

Earlier this week, counterfeit ES Lint and Node Types versions were seen abusing Pastein to deploy Windows trojans and these received thousands of downloads implying that some developers may be inadvertently falling for these typosquats that can cause long term damage to both their systems and those of users running the applications built with these trojanized dependencies.

Tracked as sonatype-2024-013290, malicious versions of Rspack and Vant are automatically blocked from entering your builds if you are using Sonatype Repository Firewall or Sonatype Lifecycle and consuming components from the official npmjs.com registry. The Sonatype Security Research team continues our investigation into this incident.

Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks, compromises, and vulnerabilities and provide you with detailed insights and to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds.

Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.


Full Research: https://www.sonatype.com/blog/npm-packages-rspack-vant-compromised-blocked-by-sonatype