Rspack packages shipped XMRig

Rspack was hit through the package publisher path. Datadog tracks the actor as MUT-1692 and says the attacker stole an npm maintainer access token, then published trojanized 1.1.7 releases of @rspack/core and @rspack/cli.

The malicious packages carried an obfuscated Node.js script. On install, it retrieved a JSON blob from a GitHub repository under the Vant project, decoded a base64 payload, and wrote it to /tmp/vant. The payload installed a custom XMRig fork with a hardcoded configuration, with fallback logic to pull the official XMRig installer if the primary path failed.

The malware also searched for cloud credentials associated with East Asian providers, including Alibaba Cloud, Huawei Cloud, and Tencent Cloud. It exfiltrated credential material to 80.78.28.72/tokens. The campaign is grouped with the Vant compromise because the same infrastructure and payload-hosting pattern tied the records together.

Rspack's role in the campaign was especially sensitive because it is build tooling. The affected packages could execute during dependency installation on developer workstations and CI runners before an application ever started, which put the attack next to source code, build secrets, and cloud credentials.

Motive

Cryptojacking

Attribution

Group

Cause

Compromised Credentials

Transitive

No

Actor

MUT-1692

User Impact

539000

• Rspack npm packages compromised in supply chain attacksocket.dev
• npm packages Rspack and Vant compromised, blocked by Sonatypesonatype.com
• Rspack and Vant npm packages compromised with cryptomining malwarethehackernews.com
• MUT-1692 compromises Rspack maintainer's account to distribute cryptojacking and infostealer malwaresecuritylabs.datadoghq.com