A dozen packages associated with the popular, open source projects *rspack* and *vant* were compromised this week by threat actors who implanted malicious, crypto-mining code in packages with hundreds of thousands of weekly downloads.On Wednesday, newly published versions of two affected packages associated with *rspack* , a popular Javascript bundler, *@rspack/core* version [1.1.7](https://secure.software/npm/packages/@rspack/core/1.1.7) and *@rspack/cli* version [1.1.7](https://secure.software/npm/packages/@rspack/cli/1.1.7), were removed from the npm open source package manager and replaced with ‘clean’ versions (1.1.8) according to a [statement](https://github.com/web-infra-dev/rspack/issues/8767) by the rspack maintainers.The attacks coincided with the compromise of multiple versions of the open source package *vant,* described as a ‘Vue UI library for mobile web apps’ that has 46,000 weekly downloads via npmjs.com. Versions [2.13.3](https://secure.software/npm/packages/vant/2.13.3), [2.13.4](https://secure.software/npm/packages/vant/2.13.4), [2.13.5](https://secure.software/npm/packages/vant/2.13.5), [3.6.13](https://secure.software/npm/packages/vant/3.6.13), [3.6.14](https://secure.software/npm/packages/vant/3.6.14), [3.6.15](https://secure.software/npm/packages/vant/3.6.15), [4.9.11](https://secure.software/npm/packages/vant/4.9.11), [4.9.12](https://secure.software/npm/packages/vant/4.9.12), [4.9.13](https://secure.software/npm/packages/vant/4.9.13), [4.9.14](https://secure.software/npm/packages/vant/4.9.14) were found to contain crypto-mining malware, according to [an analysis by the firm Socket](https://socket.dev/blog/rspack-supply-chain-attack). The maintainers of the vant project also removed compromised versions of the package and issued a clean update,[v4.9.15](https://github.com/youzan/vant/releases/tag/v4.9.15), that removed the malicious code.The crypto attack trend is growing———————————-The attacks are just the latest in a string of incidents that have seen malicious actors target and successfully compromise popular, high-traffic open-source packages.On November 21, RL software threat researcher [Lucija Valentić](mailto:lucija.valentic@reversinglabs.com) [reported on a similar malicious campaign](https://www.reversinglabs.com/blog/differential-analysis-raises-red-flags-over-lottiefiles/lottie-player) on npm, in which three versions of the legitimate package [*@lottiefiles/lottie-player*](https://secure.software/npm/packages/@lottiefiles/lottie-player?_gl=1*1mt5rw9*_gcl_au*MTkzMDIyNjYxMy4xNzMxOTM5NTQyLjM4ODcxNzYzMy4xNzMzMjU5MDQ0LjE3MzMyNTkwNDQ.), a plug-in for embedding animations in websites that has more than 100,000 weekly downloads from the npm package manager. The @lottiefiles/lottie-player package was infected and used to spread malicious code that stole crypto wallet assets from victims.The following week, [RL shared analysis](https://www.reversinglabs.com/blog/malware-found-in-solana-npm-library-with-50m-downloads) of a compromised open source library affiliated with the Solana blockchain platform, which put untold numbers of crypto platforms and user wallets at risk. Most interestingly, an additional compromise [spotted by RL researchers that same week](https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer) on the Python Package Index (PyPI) consisted of a legitimate package, *ultralytics* , being compromised to deliver the XMRig coinminer — the same coinminer used in *@rspack/core, @rspack/cli* and*vant.*> *’This is one of the latest high-profile attacks in the last few weeks connected with cryptocurrency. Once again, the crypto miner XMRig is being served and used.’* > *—[Lucija Valentić](https://www.linkedin.com/in/lucija-valenti%C4%87-731975210/)*How this latest cryptominer compromise works——————————————–The exact methods used by attackers to push malicious updates vary. The maintainers of vant said that the compromise of their project was [the result of the theft of ‘one of our team members’ npm token,’](https://github.com/youzan/vant/releases/tag/v4.9.15) leading to the release of multiple, compromised versions. A similar compromise of a maintainer account with publishing privileges is believed to be behind the compromise of the Solana*web3.js* package and the compromised *rspack/core* and *rspack/cli*packages.In the [attacks on the *ultralytics* project](https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer), attackers exploited a known [GitHub Actions Script Injection](https://github.com/ultralytics/actions/security/advisories/GHSA-7×29-qqmq-v6qc) that had been discovered and documented by the researcher [Adnan Khan](https://www.linkedin.com/in/adnanekhan/). They also used a compromised PyPI API token, stolen during the initial compromise of the build environment, to push additional malicious *ultralytics* packages even after the breach was discovered and disclosed.Obfuscated code, external comms sound the alarm———————————————–Despite the different methods of compromise, the packages all contained tell-tales signs of tampering, such as the presence of obfuscated code as well as suspicious communications to external, Internet based command and control (C2) servers. Both are behaviors that RL researchers regularly observe in association with malicious activity in open-source and commercial software packages.These suspicious changes are easy to detect — if organizations know to look for them. RL threat researchers conducted differential analysis of the compromised and clean versions of the vant open source package using ReversingLabs Spectra Assure. That showed all affected versions of *vant*were compromised in the same way, with the attackers adding a new malicious file obfuscated with JavaScript Obfuscator.Image 1As it can be seen from the image above *(Image 1)* , new file *support.js* was added in the package, and multiple behaviors that are associated with malicious behavior were introduced. The most prominent of these behaviors being the obfuscated code, and the inclusion of URLs related to the release pages of projects hosted on GitHub, as seen in the image below *(See Image 2)*.Image 2Differential analysis is key to exposing such compromises———————————————————The inclusion of suspicious URLs was also found in the Solana compromise as well as the aiocpa campaign, in which a legitimate-seeming client application for facilitating cryptocurrency payments was suddenly and inexplicably updated to include a large segment of Base64-obfuscated code hiding malicious infostealer code.These incidents highlight the importance of differential analysis in being able to understand how threat actors are able to compromise legitimate packages to disseminate malicious versions.> *’By performing differential analysis between two versions of software,* [*differential policies*](https://docs.secure.software/policies/threat-hunting#differential-analysis-policies)*can detect behaviors and changes characteristic for known software supply chain attacks, thus perhaps avoiding those attacks before they happen.’* *–Lucija Valentić*
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: ReversingLabs
Obfuscated Files or Information: Binary Padding
Obfuscated Files or Information
Associated Indicators: