BleepingComputer reports that high-performance JavaScript bundler Rspack and customizable Vue.js UI library Vant had a trio of widely-used npm packages discovered by Sonatype and Socket researchers to have been breached to facilitate the distribution of the XMRig cryptocurrency mining malware as part of a supply chain attack.
Exfiltrated npm account tokens have been leveraged by threat actors to integrate malicious code within the @rspack/core and @rspack/cli packages' 'support.js' and 'config.js' files, respectively, which automatically executes using the post-install script of the npm and then fetches the targeted system's location and network information before downloading the XMRig binary, a report from Socket showed. On the other hand, the impacted Vant package was identified to have concealed XMRig as '/tmp/vant_helper.' Both Rspack and Vant have already addressed the issue, with the former urging users to immediately update to version 1.1.8 or later. Vant has also called on users to promptly apply versions 4.9.15 and newer to avert the risk of compromise.