Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Category	Details
Threat Actors	- Unknown malicious actor targeting npm packages
Campaign Overview	- Compromised two npm packages: @rspack/core and @rspack/cli - Distributed malicious versions containing cryptocurrency mining malware
Target Regions	- Machines located outside of China, Russia, Hong Kong, Belarus, and Iran (malware limits infections to systems outside these countries)
Methodology	- Gained unauthorized npm publishing access - Used a postinstall script in package.json to execute malicious payload automatically
Product Targeted	- npm packages @rspack/core and @rspack/cli (JavaScript bundler alternatives to webpack, developed by ByteDance)
Malware Reference	- XMRig cryptocurrency miner
Tools Used	- Malicious npm package versions - HTTP requests to a remote server (e.g., “80.78.28[.]72”) to exfiltrate sensitive details - HTTP GET request to “ipinfo[.]io/json” for IP and location data
Vulnerabilities Exploited	- Stolen npm publishing and GitHub tokens - Package managers without strict attestation safeguards
TTPs	- Supply chain attack via package registry - Automatic malware execution through postinstall scripts - Exfiltration of sensitive details (cloud credentials, IP, location)
Attribution	- Unknown actor, possibly leveraging GitHub token theft and npm registry permissions
Recommendations	- Upgrade affected packages to safe versions (1.1.8) - Revoke and regenerate npm and GitHub tokens - Enforce attestation checks in package managers - Audit permissions and source code for vulnerabilities
Source	The Hackers News

Read full article: https://thehackernews.com/2024/12/rspack-npm-packages-compromised-with.html

The above summary has been generated by an AI language model