rspack
@rspack/core and @rspack/cli npm packages backdoored with XMRig
On 2024-12-19 at 02:01 UTC, an attacker with a compromised npm publishing token released v1.1.7 of `@rspack/core` and `@rspack/cli` containing heavily obfuscated postinstall code that fetched configuration from `80.78.28.72/tokens`, collected geolocation via ipinfo.io, and dropped XMRig configured to use 75% of CPU threads to mine Monero. Combined weekly downloads exceeded 500,000 (`@rspack/core` ~394k, `@rspack/cli` ~145k). The maintainers published v1.1.8 the same day removing the malicious code and deprecated v1.1.7. Sonatype linked it to a same-day vant compromise as likely the work of the same actor.
- Date
- 2024-12-19
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Cryptojacking
- Cause
- Compromised credentials
What Was Affected
Package
rspack
Languagejavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/web-infra-dev/rspack
Compromised Versions
Incident Context
- Motive
- Cryptojacking
- Attribution
- Unknown attacker
- Transitive
- No
- User Impact
- 539000
- Observed Duration
- 0 days
External References
Source Data
Source record: oss/rspack/meta.yaml