Category | Details |
---|---|
Threat Actors | Likely a single attacker or group responsible for compromising npm packages (@rspack/core, @rspack/cli, “vant”). |
Campaign Overview | On December 20, 2024, attackers used a hijacked npm token to inject malicious code into popular npm packages, deploying Monero cryptocurrency miners. |
Target Regions | Global users of compromised npm packages, especially developers using JavaScript tools. |
Methodology | Hijacking npm tokens to publish malicious package updates containing obfuscated code that deploys Monero miners. |
Product Targeted | – Rspack: JavaScript bundler written in Rust (394,000 downloads/week for @rspack/core). – Vant: Lightweight Vue UI library (46,000 downloads/week). |
Malware Reference | XMRig Monero cryptocurrency miner. |
Tools Used | – Compromised npm token. – Obfuscated JavaScript code. – XMRig miner. |
Vulnerabilities Exploited | Insecure npm token management enabling package hijacking. |
TTPs | – Injecting obfuscated code into npm package updates. – Deploying Monero miners. – Utilizing C2 infrastructure at hxxps://80.78.2872/tokens for data exfiltration. |
Attribution | No specific attribution, but suspected to be a common actor targeting npmjs.com ecosystem. |
Recommendations | – Update to clean versions (Rspack v1.1.8, Vant v4.9.15). – Use automated tools to detect malicious npm packages. – Implement strict token management protocols. – Regularly update and patch dependencies. |
Source | Hackread |
Read full article: https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/
The above summary has been generated by an AI language model
Leave a Reply