Security Vulnerability Report
Overview
This is a re-release version of v1.1.6
On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core
and @rspack/cli
were maliciously attacked. The attacker released v1.1.7
using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.
Impact
- Affected versions:
@rspack/core
and@rspack/cli
v1.1.7
- Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
- Malicious code impact: After npm install, the postinstall script in
package.json
runs malicious code indist/util/support.js
. See Malicious code analysis for more details.
Actions Taken
Upon discovery, we immediately deprecated the affected v1.1.7
, redirected the npm latest tag to v1.1.6
, and reset all related tokens.
Subsequently, we released a secure new version v1.1.8
.
Recommended Actions
If you installed v1.1.7
during the affected period, please:
- Update to the latest safe version immediately:
@rspack/core
and@rspack/cli
to>= 1.1.8
- Check your system for any unusual activity
Apology and Commitment
We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.
If you have any questions or discover any suspicious activity, please create an issue or send an email to: [email protected]
We will continue to follow and respond to community feedback.