Researchers uncovered a supply chain attack carried out by a threat actor labeled MUT-1692. Initially detected via a suspicious npm package (argus3-test) mimicking a legitimate tool, the investigation revealed a postinstall script that attempted to connect to a remote C2 server on Linux systems. Further analysis exposed a broader campaign in which MUT-1692 compromised the credentials of a maintainer of the Rspack JavaScript bundler project. This allowed the attacker to publish trojanized versions of the widely used @rspack/core and @rspack/cli packages (version 1.1.7), which included hidden malware.
The malicious packages delivered a multi-stage payload: an obfuscated Node.js script downloaded a base64-encoded file from a GitHub repo ("Vant"), which was then decoded and executed. This payload deployed a custom-configured XMRig miner, and as a fallback, downloaded the official XMRig installer. Additionally, the malware exfiltrated cloud credentials—particularly targeting developers using East Asian cloud providers such as Huawei Cloud, Alibaba Cloud, and Tencent Cloud—by scanning local directories and sending the tokens to a remote server.