Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Category	Details
Threat Actors	– Unknown malicious actor targeting npm packages
Campaign Overview	– Compromised two npm packages: @rspack/core and @rspack/cli – Distributed malicious versions containing cryptocurrency mining malware
Target Regions	– Machines located outside of China, Russia, Hong Kong, Belarus, and Iran (malware limits infections to systems outside these countries)
Methodology	– Gained unauthorized npm publishing access – Used a postinstall script in package.json to execute malicious payload automatically
Product Targeted	– npm packages @rspack/core and @rspack/cli (JavaScript bundler alternatives to webpack, developed by ByteDance)
Malware Reference	– XMRig cryptocurrency miner
Tools Used	– Malicious npm package versions – HTTP requests to a remote server (e.g., “80.78.28[.]72”) to exfiltrate sensitive details – HTTP GET request to “ipinfo[.]io/json” for IP and location data
Vulnerabilities Exploited	– Stolen npm publishing and GitHub tokens – Package managers without strict attestation safeguards
TTPs	– Supply chain attack via package registry – Automatic malware execution through postinstall scripts – Exfiltration of sensitive details (cloud credentials, IP, location)
Attribution	– Unknown actor, possibly leveraging GitHub token theft and npm registry permissions
Recommendations	– Upgrade affected packages to safe versions (1.1.8) – Revoke and regenerate npm and GitHub tokens – Enforce attestation checks in package managers – Audit permissions and source code for vulnerabilities
Source	The Hackers News

Read full article: https://thehackernews.com/2024/12/rspack-npm-packages-compromised-with.html

The above summary has been generated by an AI language model