A dozen packages associated with the popular, open source projects rspack and vant were compromised this week by threat actors who implanted malicious, crypto-mining code in packages with hundreds of thousands of weekly downloads.
On Wednesday, newly published versions of two affected packages associated with rspack, a popular Javascript bundler, @rspack/core version 1.1.7 and @rspack/cli version 1.1.7, were removed from the npm open source package manager and replaced with “clean” versions (1.1.8) according to a statement by the rspack maintainers.
The attacks coincided with the compromise of multiple versions of the open source package vant, described as a “Vue UI library for mobile web apps” that has 46,000 weekly downloads via npmjs.com. Versions 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, 4.9.14 were found to contain crypto-mining malware, according to an analysis by the firm Socket. The maintainers of the vant project also removed compromised versions of the package and issued a clean update, v4.9.15, that removed the malicious code.
The crypto attack trend is growing
The attacks are just the latest in a string of incidents that have seen malicious actors target and successfully compromise popular, high-traffic open-source packages.
On November 21, RL software threat researcher Lucija Valentić reported on a similar malicious campaign on npm, in which three versions of the legitimate package @lottiefiles/lottie-player, a plug-in for embedding animations in websites that has more than 100,000 weekly downloads from the npm package manager. The @lottiefiles/lottie-player package was infected and used to spread malicious code that stole crypto wallet assets from victims.
The following week, RL shared analysis of a compromised open source library affiliated with the Solana blockchain platform, which put untold numbers of crypto platforms and user wallets at risk. Most interestingly, an additional compromise spotted by RL researchers that same week on the Python Package Index (PyPI) consisted of a legitimate package, ultralytics, being compromised to deliver the XMRig coinminer – the same coinminer used in @rspack/core, @rspack/cli and vant.
"This is one of the latest high-profile attacks in the last few weeks connected with cryptocurrency. Once again, the crypto miner XMRig is being served and used.”
—Lucija Valentić
How this latest cryptominer compromise works
The exact methods used by attackers to push malicious updates vary. The maintainers of vant said that the compromise of their project was the result of the theft of “one of our team members’ npm token,” leading to the release of multiple, compromised versions. A similar compromise of a maintainer account with publishing privileges is believed to be behind the compromise of the Solana web3.js package and the compromised rspack/core and rspack/cli packages.
In the attacks on the ultralytics project, attackers exploited a known GitHub Actions Script Injection that had been discovered and documented by the researcher Adnan Khan. They also used a compromised PyPI API token, stolen during the initial compromise of the build environment, to push additional malicious ultralytics packages even after the breach was discovered and disclosed.
Obfuscated code, external comms sound the alarm
Despite the different methods of compromise, the packages all contained tell-tales signs of tampering, such as the presence of obfuscated code as well as suspicious communications to external, Internet based command and control (C2) servers. Both are behaviors that RL researchers regularly observe in association with malicious activity in open-source and commercial software packages.
These suspicious changes are easy to detect — if organizations know to look for them. RL threat researchers conducted differential analysis of the compromised and clean versions of the vant open source package using ReversingLabs Spectra Assure. That showed all affected versions of vant were compromised in the same way, with the attackers adding a new malicious file obfuscated with JavaScript Obfuscator.
Image 1
As it can be seen from the image above (Image 1), new file support.js was added in the package, and multiple behaviors that are associated with malicious behavior were introduced. The most prominent of these behaviors being the obfuscated code, and the inclusion of URLs related to the release pages of projects hosted on GitHub, as seen in the image below (See Image 2).
Image 2
Differential analysis is key to exposing such compromises
The inclusion of suspicious URLs was also found in the Solana compromise as well as the aiocpa campaign, in which a legitimate-seeming client application for facilitating cryptocurrency payments was suddenly and inexplicably updated to include a large segment of Base64-obfuscated code hiding malicious infostealer code.
These incidents highlight the importance of differential analysis in being able to understand how threat actors are able to compromise legitimate packages to disseminate malicious versions.
“By performing differential analysis between two versions of software, differential policies can detect behaviors and changes characteristic for known software supply chain attacks, thus perhaps avoiding those attacks before they happen."
–Lucija Valentić
