X-Industry

Attacks on the Supply Chain

Posted by CyberDog on December 26, 2024 at 8:00am

13359465279?profile=RESIZE_400xSoftware supply chain management platform Sonatype’s latest research shared with Hackread.com reveals that on 20 December 2024, popular npm packages @rspack/core and @rspack/cli were compromised by attackers who accessed a compromised npm token. According to Sonatype’s blog post, these attackers then published malicious versions (1.1.7) of these packages.

Sonatype’s automated malware detection systems quickly caught these malicious versions and blocked them for users using Nexus Repository Firewall. In addition to these packages, Sonatype’s deep binary analysis technology also discovered another compromised npm package, “vant. “ Several newer versions of “vant” exhibited signs of compromise and were subsequently blocked. Researchers suspect a familiar threat actor is responsible for both attacks on the same day.

Compromised npm Packages: On 20 December 2024, attackers used a hijacked npm token to compromise popular npm packages @rspack/core, @rspack/cli, and “vant,” injecting malicious code into their updates.

Monero Miner Deployed: The malicious code, hidden in obfuscated scripts, deployed the XMRig Monero cryptocurrency miner, connecting to an external server and mining for the attackers.

Automated Detection: Sonatype’s malware detection systems quickly identified and blocked the malicious versions, protecting users through the Nexus Repository Firewall.

Patches Released: Both Rspack and Vant addressed the breach by releasing clean updates (Rspack v1.1.8 and Vant v4.9.15) and implementing enhanced security measures.

Open Source Risks Highlighted: Sonatype reports that 98.5% of open-source malware targets npmjs.com, emphasizing the need for regular updates, patches, and proper security solutions.

Hijacked via Compromised npm Tokens - Sonatype’s automated malware detection systems identified the malicious versions (1.1.7) of @rspack/core and @rspack/cli shortly after they were published to the npmjs.com registry. For your information, Rspack is a popular JavaScript bundler written in Rust, and its npm packages are widely used. @rspack/core receives close to 394,000 downloads weekly, and @rspack/cli gets more than 145,000 downloads per week. Further probing revealed that the malicious versions of these packages contained heavily obfuscated code in the dist/utils/config.js file. This code had no apparent purpose and was not present in previous versions.

Code Runs Monero Crypto Miner - The obfuscated code deployed a known Monero miner, “XMRig,” on the target system. This miner mines cryptocurrency for the attacker. The code also attempts to connect to the address hxxps://80.78.2872/tokens. A Monero address present in the code likely gathers the mined XMR. However, not much activity was associated with the address at the time of writing.

Vant Package Also Compromised - Sonatype researchers Jeff Thornhill and Adam Reynolds’ investigation discovered several compromised versions of the “vant” package. It is worth noting that Vant is a popular lightweight Vue UI library for mobile web apps, and it receives approximately 46,000 downloads every week on npmjs.com. The compromised versions of “vant” include: 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, and 4.9.14.

13359465879?profile=RESIZE_710xPatch Available - Rspack and Vant quickly addressed the compromise and released patches. Rspack released version 1.1.8, which is free of malicious code. Vant released an update with version 4.9.15, addressing the security issue. Both also issued statements regarding the compromise. Rspack Project apologized for the risks caused by this incident, pledging that they “will implement stricter token management protocols and enhance our security review processes.” Conversely, Vant confirmed that they “have taken measures to fix it and re-released the latest version.”

Sonatype’s 2024 Open Source Malware report reveals that 98.5% of open-source malware is published on the npmjs.com registry, making it a popular target for attackers. To stay safe, keep software updated, apply patches from Rspack and Vant, and use reliable security solutions to detect malware in open-source packages.

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Red Sky provides indicators of compromised information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

 

https://www.npmjs.com/package/vant
https://github.com/youzan/vant/releases/tag/v4.9.15
https://github.com/web-infra-dev/rspack/releases/tag/v1.1.8

© 2024 Red Sky Alliance Corporation. All rights reserved.

Views: 54
Tags: ir-24-358-001, sonatype, rspack, javascript bundler, rust, monero crypto miner, tokens
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!