Analysis Summary

Two of Rspack's npm packages, @rspack/core and @rspack/cli, were hacked in a software supply chain attack, according to the developers. This gave a malevolent actor the ability to post malicious copies of the packages with Bitcoin mining malware to the official package registry.

Versions 1.1.7 of both libraries have been removed from the npm registry since the discovery. 1.1.8 is the most recent secure version. They contain harmful scripts and were released by an attacker who obtained unauthorized access to npm publishing. Rspack is marketed as a high-performance JavaScript bundler built in Rust that can be used as an alternative to webpack. It was first created by ByteDance and has subsequently been embraced by several businesses, including Microsoft, Amazon, Alibaba, and Discord.

As evidence of their popularity, the npm packages in question, @rspack/core and @rspack/cli, receive over 300,000 and 145,000 downloads per week, respectively. An analysis of the two libraries' rogue versions has shown that they include code that calls a remote server ("80.78.28[.]72") to send private configuration information, including cloud service credentials, and gather IP address and location information by sending an HTTP GET request to "ipinfo[.]io/json." An intriguing twist is that the attack restricts the infection to computers in a particular group of nations, including China, Russia, Hong Kong, Belarus, and Iran.

The ultimate objective of the attacks is to use a postinstall script included in the "package.json" file to cause the installation of the packages on compromised Linux hosts to initiate the download and execution of an XMRig Bitcoin miner. The postinstall script, which launches automatically when the package is installed, is how the malware is executed. This guarantees that the malicious payload embeds itself in the target environment and is executed without any user involvement.

According to the project maintainers, they examined the source code for any potential vulnerabilities, reviewed the repository and npm package permissions, and invalidated all current npm tokens and GitHub tokens in addition to publishing a new version of the two packages without the malicious code. The underlying reason for the token theft is being looked into.

This exploit makes it clear that package managers must include more stringent security measures to protect developers, such as requiring attestation checks to stop updates to unconfirmed versions. It's not completely bulletproof, though. By compromising GitHub Actions through cache poisoning, attackers might still be able to publish versions with attestation, as demonstrated by the recent Ultralytics supply chain attack in the Python community.

Impact

• Cryptocurrency Theft
• Financial Loss
• Unauthorized Access
• Credential Theft

Remediation

• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.