vant npm packages shipped XMRig

Vant was the second half of the December 2024 Rspack/Vant npm campaign. On December 19, attackers published malicious Vant releases across the v2, v3, and v4 lines, giving the payload a wide compatibility surface.

The malicious code matched the Rspack pattern. It ran during npm installation, reached out to attacker infrastructure, installed XMRig, and sent host and credential data to 80.78.28.72/tokens. The campaign also touched cloud credential paths used by Alibaba Cloud, Huawei Cloud, and Tencent Cloud.

The Vant repository itself mattered to the campaign. Rspack's payload pulled a base64 blob from a Vant GitHub object, tying the two records together by infrastructure as well as timing. Sonatype blocked affected packages and reported the linked compromise across both projects.

Maintainers released clean 4.9.15 and deprecated the compromised versions. The 46,000 figure records package reach around the incident, not a confirmed victim count.

This record stays package-specific because Vant had ten affected releases across three major lines. Teams had to search lockfiles and caches for each version, not just look for a single compromised package coordinate.

Motive

Cryptojacking

Attribution

Group

Cause

Compromised Credentials

Transitive

No

Actor

MUT-1692

• npm packages Rspack and Vant compromised, blocked by Sonatypesonatype.com
• Rspack and Vant npm packages compromised with cryptomining malwarethehackernews.com
• MUT-1692 compromises Rspack maintainer's account to distribute cryptojacking and infostealer malwaresecuritylabs.datadoghq.com