How a Supply‑Chain Attack Compromised Vant and Rspack – Frontend Security Lessons

Hello, I am ConardLi.

Today the frontend community faced a serious supply‑chain poisoning event: the well‑known open‑source component library Vant and the build tool Rspack were infected with malicious code.

The incident began when Vant maintainer landluck (whose token was apparently stolen) published a compromised version to the npm registry. The attacker added a "postinstall": "node lib/utils/support.js" entry to package.json , causing a malicious script to run during installation.

Community users noticed abnormal behavior, reported it on GitHub, and the Vant maintainer quickly marked the affected version.

The attack then spread to Rspack. It is believed the attacker used landluck’s npm and GitHub tokens to obtain the npm token of the Rspack maintainer within the same GitHub organization.

The attacker released @rspack/core and @rspack/cli version 1.1.7 with a similar malicious mechanism, which users reported.

Affected Scope

Vant affected versions : 4.9.11‑4.9.14, 3.6.13‑3.6.15, 2.13.3‑2.13.5

Safe Vant versions : 4.9.15, 3.6.16, 2.13.6

Rspack affected versions : @rspack/core 1.1.7, @rspack/cli 1.1.7

Safe Rspack version : 1.1.8

Malicious Behavior Details

In the compromised versions, the malicious code downloads and runs a mining program named vant_helper on Linux, using the attacker’s wallet address to mine Monero.

The attacker also exfiltrated cloud service credentials from files such as /.aliyun/config.json , /.hcloud/config.json , and ~/.tccli/default.credential , sending the data to a server at 80.78.28.72.

Mitigation Measures and Recommendations

Upgrade immediately : Ensure your projects use safe versions of Vant and Rspack and stop using the affected releases.

JavaScript’s powerful modularity via npm accelerates development, but this dependency complexity introduces significant supply‑chain security risks.

For more background on frontend supply‑chain security, see my previous articles:

Why is the JavaScript supply chain so fragile?

A million‑download npm package used anti‑war rhetoric to poison the supply chain!

Please check and upgrade your dependencies promptly.