vant
vant Vue UI library npm packages backdoored with XMRig
On 2024-12-19, the same day as the @rspack/core compromise and likely by the same actor, ten versions of the Chinese-origin Vue UI library `vant` were published to npm with obfuscated XMRig cryptojacking code beaconing to `80.78.28.72/tokens`. The compromise spanned three release lines (v2, v3, v4) — versions 2.13.3-2.13.5, 3.6.13-3.6.15, and 4.9.11-4.9.14 — leveraging a stolen npm publishing token. The maintainers released clean v4.9.15. Vant had ~46,000 weekly downloads at the time of the attack.
- Date
- 2024-12-19 to 2024-12-20
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Cryptojacking
- Cause
- Compromised credentials
What Was Affected
Package
vant
Languagejavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/youzan/vant
Compromised Versions
Incident Context
- Motive
- Cryptojacking
- Attribution
- Unknown attacker
- Transitive
- No
- User Impact
- 46000
- Observed Duration
- 1 days
External References
Source Data
Source record: oss/vant/meta.yaml