How Desire Paths can Transform your Branding and Public Relations
How Desire Paths can Transform your Branding and Public Relations
12 Steps to Create Videos

Package confusion attack against NPM used to trick developers into downloading malware [Video]

Categories
Integrated Solutions Offering

Attackers gunning for supply chains again, deploying innovative blockchain technique to hide command & control.

Credit: Shutterstock

Application testing company Checkmarx has warned developers to be on the lookout for malicious NPM packages, after discovering a new attack that employs typosquatting to impersonate two popular packages.

Part of a much larger campaign against NPM, in a new twist, the malicious package eschews traditional command & control (C2) by using the Ethereum blockchain to hold the addresses of its malicious payloads.

The campaign targets two popular NPM (Node Package Manager) packages used as part of the Jest JavaScript testing framework, “fetch-mock-jest” and “Jest-Fetch-Mock”, using a malicious package with a similar-looking name, “jest-fet-mock”.

The attacker’s assumption is that at least some developers will be in too much of a hurry to notice the misspelling, and will download one of the malicious packages.

But in what appears to be a first for attacks against NPM, …

How to Reach your Market in a World Ruled by Generative AI
How to Reach your Market in a World Ruled by Generative AI
5 Steps to Creating Successful Ads