Introduction
Recent incidents have highlighted significant vulnerabilities in popular open-source software packages, underscoring the risks of malicious code infiltration and the growing threat to widely-used software tools. These compromises have raised concerns about the security of the open-source supply chain.
Description
A series of compromises have been identified in popular open source packages [8], revealing the risk of malicious code infiltration and the increasing vulnerability of widely-used software tools. Developers of the JavaScript bundler Rspack reported that their npm packages, @rspack/core and @rspack/cli [3], were specifically compromised in a supply chain attack. Attackers exploited stolen npm account tokens to publish malicious version 1.1.7 of both packages, which contained heavily obfuscated code that deployed the XMRig cryptocurrency miner on target systems [1]. This allowed attackers to mine Monero while exfiltrating sensitive data, including cloud service credentials and user location details [6]. Notably, the malware was designed to avoid infecting systems in regions such as China, Russia [6], Hong Kong [6], Belarus [6], and Iran [6]. The malicious code executed automatically via npm’s postinstall script upon installation, utilizing the processing power of compromised Linux systems, and attempted to connect to an external URL for unauthorized communication, gathering geographic and network information from victims’ systems [4].
In addition to @rspack/core and @rspack/cli [8], the Vant package [1] [5], a customizable Vue UI library for mobile web apps [5] [8], was also compromised through the same method, with multiple affected versions identified, including 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13 [5], and 4.9.14 [5]. The @rspack/core and @rspack/cli packages, both at version 1.1.7, were downloaded 394,000 and 145,000 times weekly [7], respectively, while Vant had 46,000 weekly downloads [7]. Both Rspack and Vant acknowledged the breaches and have since released cleaned versions of their packages [4], apologizing for the security lapse [4]. Rspack released version 1.1.8 [1], while Vant released version 4.9.15 [1], both addressing the security issues caused by the compromised npm tokens [1]. The Rspack team also unpublished the malicious versions [6], invalidated all associated npm and GitHub tokens [6], and conducted a source code audit to investigate how the attacker accessed publishing credentials [6].
To mitigate the risks, users are advised to avoid the affected versions of @rspack/core and @rspack/cli, specifically version 1.1.7, and to upgrade to version 1.1.8 or later. For Vant [4], users should avoid the compromised versions mentioned above and upgrade to Vant version 4.9.15 or newer. Signs of the attacks included obfuscated code and unauthorized communication with external command and control servers, underscoring the ongoing risks associated with supply chain vulnerabilities and the broader trend of compromises impacting various software packages. Sonatype’s automated malware detection systems successfully blocked the malicious versions from being published [1], and their ongoing investigation into the incidents continues [1], highlighting the urgent need for enhanced security measures to protect the open-source supply chain [2], particularly in the npm registry [1], where a significant percentage of malware is found [1].
Conclusion
The recent compromises in open-source packages like Rspack and Vant illustrate the critical need for robust security measures in the software supply chain. Users are urged to update to secure versions to mitigate risks. The incidents underscore the importance of vigilance and proactive security practices to safeguard against future threats, emphasizing the necessity for ongoing improvements in open-source security protocols.
References
[1] https://www.sonatype.com/blog/npm-packages-rspack-vant-compromised-blocked-by-sonatype
[2] https://undercodenews.com/the-rise-of-malicious-open-source-packages-a-growing-threat/
[3] https://news.backbox.org/2024/12/20/rspack-npm-packages-compromised-with-crypto-mining-malware-in-supply-chain-attack/
[4] https://cyberprivateinvestigations.com/2024/12/20/malicious-rspack-vant-packages-published-using-stolen-npm-tokens/
[5] https://securityboulevard.com/2024/12/oss-in-the-crosshairs-cryptomining-hacks-highlight-key-new-threat/
[6] https://cybermaterial.com/rspack-npm-packages-spread-crypto-malware/
[7] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-december-23-2024
[8] https://www.infosecurity-magazine.com/news/cryptomining-malware-opensource/
