Malicious Rspack, Vant packages published using stolen NPM tokens
Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.
The supply chain attack, spotted by both Sonatype and Socket researchers, deployed the XMRig cryptocurrency miner on compromised systems for mining the hard-to-trace Monero privacy cryptocurrency.
Additionally, Sonatype discovered that all three npm packages fell victim to the identical compromise on the same day, affecting multiple versions.
The two packages that were compromised are its core component and the command line interface (CLI) tool, downloaded 394,000 and 145,000 times weekly, respectively, on npm.
Vant is a lightweight, customizable Vue.js UI library tailored for building mobile web applications, providing pre-designed, reusable UI components. It is also relatively popular, garnering 46,000 weekly downloads on npm.
The malicious code is hidden inside the 'support.js' file on @rspack/core, and in the 'config.js' file in '@rspack/cli,' and fetches its configuration and command-and-control (C2) instructions from an external server.
