Rspack and Vant shipped XMRig miners
The Rspack and Vant compromise used stolen npm publishing tokens to ship obfuscated XMRig cryptomining payloads through official packages on December 19, 2024.
Story
The Rspack and Vant incidents were the same small campaign, not isolated accidents. On December 19, 2024, attackers used stolen npm publishing tokens to push malicious releases for @rspack/core, @rspack/cli, and vant.
The packages arrived through the official npm registry. Their install-time code was obfuscated, fetched additional material from attacker infrastructure, and deployed XMRig to mine Monero on developer and CI systems.
Sonatype reported the shared network indicator 80.78.28.72, and later analysis tied the activity to MUT-1692. The useful boundary is still package-specific: Rspack and Vant are separate projects, but the date, payload style, infrastructure, and npm-token path make one campaign.
The campaign also searched cloud credential paths, which made the miner more than a nuisance payload. A compromised install could burn CPU and expose cloud material from the same developer or CI environment.
The record stays at campaign level. The individual package records carry versions, package names, and package-level impact.
Linked Attacks
2024
On 2024-12-19, the same day as the @rspack/core compromise and likely by the same actor, ten versions of the Chinese-origin Vue UI library `vant` were published to npm with obfuscated XMRig cryptojacking code beaconing to `80.78.28.72/tokens`.
A compromised npm token published @rspack/core and @rspack/cli 1.1.7 with obfuscated postinstall code. The payload fetched XMRig configuration, collected host data, and mined Monero.
Campaign Context
- Cause
- Unknown
Affected Packages
External References
Source record: oss/campaigns/rspack-vant-cryptominer-2024/meta.yaml