Rspack Supply Chain Attack Injects Cryptojacking Malware Into npm Ecosystem
The Rspack ecosystem, known for its high-performance JavaScript bundler written in Rust, has become the latest victim of a supply chain attack. The breach impacted two widely used npm packages, @rspack/core and @rspack/cli, which were tampered with to include cryptojacking malware.
Versions 1.1.7 of @rspack/core and @rspack/cli were compromised when attackers gained unauthorized publishing access to npm. These malicious versions contained obfuscated scripts designed to perform unauthorized cryptocurrency mining. “The malware is executed via the postinstall script, which runs automatically when the package is installed,” according to the Socket Research Team’s analysis.
Rspack has rapidly gained traction among top companies, including Microsoft, Amazon, Discord, and Alibaba, with @rspack/core alone boasting 370,000 weekly downloads. This breach has the potential to affect thousands of developers and enterprises using the compromised packages.
The attackers injected cryptojacking scripts into the support.js file in @rspack/core and the config.js file in @rspack/cli. Key malicious functionalities included:
- Cryptojacking: The scripts downloaded and executed the XMRig cryptomining program, directing computational power to mine Monero cryptocurrency. Parameters such as -cpu-max-threads-hint=75 were used to limit CPU usage and avoid detection.
- Data Exfiltration: The malicious code retrieved information from external servers, such as http://80.78.28.72/tokens and http://ipinfo.io/json, to collect user environment details like IP addresses and geolocation data. This reconnaissance could facilitate tailored attacks.
- Stealth Tactics: Obfuscation techniques were employed to evade detection and analysis. The malware embedded itself into the development environment via the packages’ postinstall scripts, leaving developers unaware of its presence.
The Rspack team quickly mitigated the issue by:
- Deprecating version 1.1.7 and redirecting the latest dist-tag to version 1.1.6.
- Invalidating all npm and GitHub tokens to prevent further unauthorized access.
- Releasing version 1.1.8 to remove the malicious code and restore trust in the affected packages