Security Vulnerability Report

Overview

This is a re-release version of 1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact

• Affected versions: @rspack/core and @rspack/cli v1.1.7
• Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
• Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. We are currently analyzing the full impact of malicious code.

Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens.
Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
2. Check your system for any unusual activity

Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.
If you have any questions or discover any suspicious activity, please create an issue or send an email to: web-infra-security@bytedance.com
We will continue to follow and respond to community feedback.