A dozen packages associated with the popular, open source projects rspack and vant were compromised this week by threat actors who implanted malicious, crypto-mining code in packages with hundreds of thousands of weekly downloads.
The attacks are just the latest in a string of incidents that have seen malicious actors target and successfully compromise popular, high-traffic open-source packages.
On November 21, RL software threat researcher Lucija Valentić reported on a similar malicious campaign on npm, in which three versions of the legitimate package @lottiefiles/lottie-player, a plug-in for embedding animations in websites that has more than 100,000 weekly downloads from the npm package manager. The @lottiefiles/lottie-player package was infected and used to spread malicious code that stole crypto wallet assets from victims.
The following week, RL shared analysis of a compromised open source library affiliated with the Solana blockchain platform, which put untold numbers of crypto platforms and user wallets at risk. Most interestingly, an additional compromise spotted by RL researchers that same week on the Python Package Index (PyPI) consisted of a legitimate package, ultralytics, being compromised to deliver the XMRig coinminer - the same coinminer used in @rspack/core, @rspack/cli and vant.
"This is one of the latest high-profile attacks in the last few weeks connected with cryptocurrency. Once again, the crypto miner XMRig is being served and used."
-- Lucija Valentić
The exact methods used by attackers to push malicious updates vary. The maintainers of vant said that the compromise of their project was the result of the theft of "one of our team members' npm token," leading to the release of multiple, compromised versions. A similar compromise of a maintainer account with publishing privileges is believed to be behind the compromise of the Solana web3.js package and the compromised rspack/core and rspack/cli packages.
In the attacks on the ultralytics project, attackers exploited a known GitHub Actions Script Injection that had been discovered and documented by the researcher Adnan Khan. They also used a compromised PyPI API token, stolen during the initial compromise of the build environment, to push additional malicious ultralytics packages even after the breach was discovered and disclosed.
Despite the different methods of compromise, the packages all contained tell-tales signs of tampering, such as the presence of obfuscated code as well as suspicious communications to external, Internet based command and control (C2) servers. Both are behaviors that RL researchers regularly observe in association with malicious activity in open-source and commercial software packages.
These suspicious changes are easy to detect -- if organizations know to look for them. RL threat researchers conducted differential analysis of the compromised and clean versions of the vant open source package using ReversingLabs Spectra Assure. That showed all affected versions of vant were compromised in the same way, with the attackers adding a new malicious file obfuscated with JavaScript Obfuscator.
As it can be seen from the image above (Image 1), new file support.js was added in the package, and multiple behaviors that are associated with malicious behavior were introduced. The most prominent of these behaviors being the obfuscated code, and the inclusion of URLs related to the release pages of projects hosted on GitHub, as seen in the image below (See Image 2).
The inclusion of suspicious URLs was also found in the Solana compromise as well as the aiocpa campaign, in which a legitimate-seeming client application for facilitating cryptocurrency payments was suddenly and inexplicably updated to include a large segment of Base64-obfuscated code hiding malicious infostealer code.
These incidents highlight the importance of differential analysis in being able to understand how threat actors are able to compromise legitimate packages to disseminate malicious versions.