Attackers gunning for supply chains again, deploying innovative blockchain technique to hide command & control.
Credit: Shutterstock
Application testing company Checkmarx has warned developers to be on the lookout for malicious NPM packages, after discovering a new attack that employs typosquatting to impersonate two popular packages.
Part of a much larger campaign against NPM, in a new twist, the malicious package eschews traditional command & control (C2) by using the Ethereum blockchain to hold the addresses of its malicious payloads.
The campaign targets two popular NPM (Node Package Manager) packages used as part of the Jest JavaScript testing framework, “fetch-mock-jest” and “Jest-Fetch-Mock”, using a malicious package with a similar-looking name, “jest-fet-mock”.
The attacker’s assumption is that at least some developers will be in too much of a hurry to notice the misspelling, and will download one of the malicious packages.
But in what appears to be a first for attacks against NPM, …