A series of high-profile compromises targeting popular open source packages have been uncovered, exposing the growing risk of malicious code infiltration in widely used software tools.
Threat actors implanted cryptomining malware in packages associated with rspack, a JavaScript bundler, and vant, a Vue UI library for mobile web apps. Together, these tools see hundreds of thousands of weekly downloads from npm, a major package manager.
The breaches, discovered by security researchers at ReversingLabs, affected @rspack/core and @rspack/cli versions 1.1.7, which were swiftly removed and replaced with clean versions (1.1.8), according to rspack maintainers.
Similarly, vant’s compromised versions (spanning 2.13.3 to 4.9.14) were patched with a malware-free update (version 4.9.15). The malicious code used in these packages included the XMRig cryptominer, a recurring tool in recent supply chain attacks.
String of Open Source Threats
These incidents are part of a broader trend in open source software compromises. Just weeks earlier, malicious actors targeted @lottiefiles/lottie-player, an animation plugin with over 100,000 weekly downloads, embedding crypto wallet-stealing malware. Another attack on a Solana blockchain library jeopardized user wallets, while the ultralytics Python package was exploited to distribute the XMRig cryptominer.
Read more on cryptocurrency threats: Crypto-Hackers Steal $2.2bn as North Koreans Dominate
ReversingLabs explained that the rspack and vant breaches stemmed from stolen npm tokens, enabling attackers to upload tainted versions. In the ultralytics case, GitHub Actions Script Injection and a stolen PyPI API token facilitated the attack. Each incident showcased tell-tale signs, such as obfuscated code and unauthorized communication with external servers.
Spotting and Preventing Compromises
Differential analysis played a critical role in uncovering these breaches. By comparing clean and malicious versions, researchers detected new files, obfuscated JavaScript and suspicious external URLs.
“By performing differential analysis between two versions of software, differential policies can detect behaviors and changes characteristic for known software supply chain attacks, thus perhaps avoiding those attacks before they happen,” said ReversingLabs software threat researcher Lucija Valentić.
Differential analysis is just one of several methods to combat such attacks. Other approaches include implementing strict access controls to prevent unauthorized changes, routinely scanning software dependencies for vulnerabilities and using automated tools to monitor for suspicious behavior in package updates.