A significant supply chain security breach has been uncovered by cybersecurity researchers at Sonatype and Socket, affecting three widely-used npm packages: @rspack/core, @rspack/cli, and Vant. The attack was executed through compromised npm tokens and resulted in malicious code designed to mine Monero cryptocurrency being injected into each affected package version.
Impact Assessment and Package Details
The compromised packages have substantial reach within the developer community. @rspack/core recorded 394,000 weekly downloads and @rspack/cli reached 145,000 weekly downloads. The Vant UI library, primarily used in Vue.js applications, accounts for an additional 46,000 weekly downloads. Rspack is a high-performance JavaScript bundler written in Rust and is a critical dependency in many modern web development workflows.
Technical Analysis of the Malware
The malicious code was identified in Rspack version 1.1.7 and multiple Vant releases, including versions 2.13.3-5, 3.6.13-15, and 4.9.11-14. Attackers embedded the payload inside support.js (@rspack/core) and config.js (@rspack/cli). The malware collected geographic and network configuration data before deploying the XMRig cryptocurrency miner. In the Vant package, the mining process ran under the disguised process name “vant_helper” to evade detection.
Node.js Developers Who Installed Malicious npm Packages
Any developer or organization that installed the compromised package versions is at risk. Specifically affected are:
- JavaScript and TypeScript projects using @rspack/core or @rspack/cli version 1.1.7
- Vue.js projects using Vant versions 2.13.3–5, 3.6.13–15, or 4.9.11–14
- CI/CD pipelines that automatically install latest package versions without lock-file pinning
- Production servers where these packages were installed and run with elevated permissions
Security Response and Patched Versions
Development teams released patched versions promptly. Users of Rspack should upgrade immediately to version 1.1.8 or later. Vant users must update to version 4.9.15 or newer. The patched releases remove the malicious code and introduce additional integrity checks.
Removing Malicious npm Packages and Recovering Compromised Credentials
If your project uses any of the affected packages, take these steps immediately:
- Update @rspack/core and @rspack/cli to 1.1.8+ and Vant to 4.9.15+ using
npm updateoryarn upgrade - Run
npm auditor use a software composition analysis (SCA) tool to identify other vulnerable dependencies - Inspect running processes on build servers for unexpected processes named “vant_helper” or XMRig-related binaries
- Rotate any npm tokens that were used in CI/CD pipelines during the exposure window
- Enable npm’s package integrity verification and enforce lock-file usage (
npm ciinstead ofnpm install) in all pipelines
