Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack
Summary:
The developers of Rspack, a popular high-performance JavaScript bundler written in Rust, have discovered that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack. This supply chain attack granted the attacker the capability to publish malicious versions of these packages to the official package registry. Versions 1.1.7 of the packages are affected as they were released by an attacker who gained unauthorized npm publishing access. They are injected with malicious scripts that lead to the execution of cryptocurrency mining malware. Rspack is billed as an alternative to the webpack, offering a "high-performance JavaScript bundler written in Rust." Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others. The @rspack/core package distributes the malware through the support.js file. In the CLI package, it is found in the config.js file. These packages have over 1.2 million and 580,000 monthly downloads respectively. The rogue versions of the two libraries contain code that makes calls to a C2 server hosted at 80.78.28[.]72 to exfiltrate sensitive configuration details and cloud service credentials.
The infection chain only targets certain countries, specifically China, Russia, Hong Kong, Belarus, and Iran. It begins via the postinstall script, which runs automatically when the package is installed. The main objective of these attacks is to trigger the download and execution of a variant of the notorious XMRig cryptocurrency miner on hosts compromised by the installation of these rogue package versions. Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8. Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities.
Security Officer Comments:
Supply chain attacks, depending on the compromised vendor, could be detrimental to the data availability, confidentiality, and integrity of the targeted environment. Rspack maintainers have launched an investigation into the root cause of the token theft. The supply chain attack targeting Rspack is also said to have singled out another npm package named vant, which has over 41,000 weekly downloads. Sonatype said the threat actors managed to publish several compromised versions of vant to the npm registry. Organizations utilizing these packages should remain vigilant for infected npm packages, as the adversary may still have persistent access to publishing permissions by compromising GitHub Actions through cache poisoning. Organizations can defend against similar attacks by implementing a "zero trust" approach, rigorously vetting all third-party vendors, and continuously monitoring their security practices to identify potential vulnerabilities throughout the supply chain.
Suggested Corrections:
Threat actors employ different techniques to execute software supply chain attacks. Three common techniques are:
“Most modern software receives routine updates to address bugs and security issues. Software vendors typically distribute updates from centralized servers to customers as a routine part of product maintenance. Threat actors can hijack an update by infiltrating the vendor’s network and either inserting malware into the outgoing update or altering the update to grant the threat actor control over the software’s normal functionality. For example, the NotPetya attack occurred in 2017 when Russian hackers targeting Ukraine spread malware through tax accounting software popular in Ukraine. What would later be called the NotPetya malware spread well beyond Ukraine and caused major global disruptions in crucial industries, including international shipping, financial services, and healthcare” (CISA, 2022)
Undermining Codesigning
“Codesigning is used to validate the identity of the code’s author and the integrity of the code. Attackers undermine codesigning by self-signing certificates, breaking signing systems, or exploiting misconfigured account access controls. By undermining codesigning, threat actors are able to successfully hijack software updates by impersonating a trusted vendor and inserting malicious code into an update. For example, APT 41, a China-based threat actor, routinely undermines codesigning while conducting sophisticated software supply chain compromises against the United States and other countries” (CISA, 2022)
Compromising Open-Source Code
“Open-source code compromises occur when threat actors insert malicious code into publicly accessible code libraries, which unsuspecting developers—looking for free blocks of code to perform specific functions—then add into their own third-party code. For example, in 2018, researchers discovered 12 malicious Python libraries uploaded on the official Python Package Index (PyPI). The attacker used typosquatting tactics by creating libraries titled “diango,” “djago,” “dajngo,” etc., to lure developers seeking the popular “django” Python library. The malicious libraries contained the same code and functionality of those they impersonated; but they also contained additional functionality, including the ability to obtain boot persistence and open a reverse shell on remote workstations. Open-source code compromises can also affect privately owned software because developers of proprietary code routinely leverage blocks of open-source code in their products” (CISA, 2022)
“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain. This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps. Due to the difficulty of mitigating consequences after a software supply chain attack occurs, network defenders should observe industry best practices before an attack has occurred. Implementing best practices will bolster an organization’s ability to prevent, mitigate, and respond to such attacks” (CISA, 2022)
NIST suggests eight key practices for establishing a NIST C-SCRM (Cyber Supply Chain Risk Management) approach that can be applied to software.
https://www.cisa.gov/sites/default/...ainst_software_supply_chain_attacks_508_1.pdf
Link(s):
https://thehackernews.com/2024/12/rspack-npm-packages-compromised-with.html
https://socket.dev/blog/rspack-supply-chain-attack
The developers of Rspack, a popular high-performance JavaScript bundler written in Rust, have discovered that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack. This supply chain attack granted the attacker the capability to publish malicious versions of these packages to the official package registry. Versions 1.1.7 of the packages are affected as they were released by an attacker who gained unauthorized npm publishing access. They are injected with malicious scripts that lead to the execution of cryptocurrency mining malware. Rspack is billed as an alternative to the webpack, offering a "high-performance JavaScript bundler written in Rust." Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others. The @rspack/core package distributes the malware through the support.js file. In the CLI package, it is found in the config.js file. These packages have over 1.2 million and 580,000 monthly downloads respectively. The rogue versions of the two libraries contain code that makes calls to a C2 server hosted at 80.78.28[.]72 to exfiltrate sensitive configuration details and cloud service credentials.
The infection chain only targets certain countries, specifically China, Russia, Hong Kong, Belarus, and Iran. It begins via the postinstall script, which runs automatically when the package is installed. The main objective of these attacks is to trigger the download and execution of a variant of the notorious XMRig cryptocurrency miner on hosts compromised by the installation of these rogue package versions. Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8. Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities.
Security Officer Comments:
Supply chain attacks, depending on the compromised vendor, could be detrimental to the data availability, confidentiality, and integrity of the targeted environment. Rspack maintainers have launched an investigation into the root cause of the token theft. The supply chain attack targeting Rspack is also said to have singled out another npm package named vant, which has over 41,000 weekly downloads. Sonatype said the threat actors managed to publish several compromised versions of vant to the npm registry. Organizations utilizing these packages should remain vigilant for infected npm packages, as the adversary may still have persistent access to publishing permissions by compromising GitHub Actions through cache poisoning. Organizations can defend against similar attacks by implementing a "zero trust" approach, rigorously vetting all third-party vendors, and continuously monitoring their security practices to identify potential vulnerabilities throughout the supply chain.
Suggested Corrections:
Threat actors employ different techniques to execute software supply chain attacks. Three common techniques are:
- Hijacking updates
- Undermining code signing
- Compromising open-source code
“Most modern software receives routine updates to address bugs and security issues. Software vendors typically distribute updates from centralized servers to customers as a routine part of product maintenance. Threat actors can hijack an update by infiltrating the vendor’s network and either inserting malware into the outgoing update or altering the update to grant the threat actor control over the software’s normal functionality. For example, the NotPetya attack occurred in 2017 when Russian hackers targeting Ukraine spread malware through tax accounting software popular in Ukraine. What would later be called the NotPetya malware spread well beyond Ukraine and caused major global disruptions in crucial industries, including international shipping, financial services, and healthcare” (CISA, 2022)
Undermining Codesigning
“Codesigning is used to validate the identity of the code’s author and the integrity of the code. Attackers undermine codesigning by self-signing certificates, breaking signing systems, or exploiting misconfigured account access controls. By undermining codesigning, threat actors are able to successfully hijack software updates by impersonating a trusted vendor and inserting malicious code into an update. For example, APT 41, a China-based threat actor, routinely undermines codesigning while conducting sophisticated software supply chain compromises against the United States and other countries” (CISA, 2022)
Compromising Open-Source Code
“Open-source code compromises occur when threat actors insert malicious code into publicly accessible code libraries, which unsuspecting developers—looking for free blocks of code to perform specific functions—then add into their own third-party code. For example, in 2018, researchers discovered 12 malicious Python libraries uploaded on the official Python Package Index (PyPI). The attacker used typosquatting tactics by creating libraries titled “diango,” “djago,” “dajngo,” etc., to lure developers seeking the popular “django” Python library. The malicious libraries contained the same code and functionality of those they impersonated; but they also contained additional functionality, including the ability to obtain boot persistence and open a reverse shell on remote workstations. Open-source code compromises can also affect privately owned software because developers of proprietary code routinely leverage blocks of open-source code in their products” (CISA, 2022)
“Network defenders are limited in their ability to quickly mitigate consequences after a threat actor has compromised a software supply chain. This is because organizations rarely control their entire software supply chain and lack authority to compel every organization in their supply chain to take prompt mitigation steps. Due to the difficulty of mitigating consequences after a software supply chain attack occurs, network defenders should observe industry best practices before an attack has occurred. Implementing best practices will bolster an organization’s ability to prevent, mitigate, and respond to such attacks” (CISA, 2022)
NIST suggests eight key practices for establishing a NIST C-SCRM (Cyber Supply Chain Risk Management) approach that can be applied to software.
- Integrate C-SCRM across the organization.
- Establish a formal C-SCRM program.
- Know and manage critical components and suppliers.
- Understand the organization’s supply chain. software for which a vulnerability is disclosed
- Closely collaborate with key suppliers.
- Include key suppliers in resilience and improvement activities.
- Assess and monitor throughout the supplier relationship.
- Plan for the full lifecycle.
https://www.cisa.gov/sites/default/...ainst_software_supply_chain_attacks_508_1.pdf
Link(s):
https://thehackernews.com/2024/12/rspack-npm-packages-compromised-with.html
https://socket.dev/blog/rspack-supply-chain-attack