- My favorite MagSafe accessory will satisfy any Apple user - and it's 25% off for Black Friday
- 버티브, 2025 데이터센터 동향 보고서 발표
- I ditched my AirPods Pro for these discounted Nothing earbuds (and don't regret it)
- Level up your PS5 with this PlayStation VR2 bundle for $250 off before Black Friday
- Grab a PlayStation 5 Slim disc console for 15% off at Amazon for Black Friday
Supply Chain Attack Uses Smart Contracts for C2 Ops
Security researchers claim to have discovered the first-ever open source supply chain attack combining blockchain technology with traditional attack vectors.
Checkmarx said it found the malicious “jest-fet-mock” package on npm. It spoofs two legitimate and widely used JavaScript testing utilities: “fetch-mock-jest” and “Jest-Fetch-Mock.”
“The attacker used a classic typosquatting technique by misspelling ‘fetch’ as ‘fet’ while maintaining the key terms ‘jest’ and ‘mock,’” it wrote.
“Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments.”
Read more on open source threats: Npm Packages Used to Distribute Phishing Links
However, the really novel part of the attack chain comes once the victim downloads the malicious package.
“When executed, the malware interacts with a smart contract at address ‘0xa1b40044EBc2794f207D45143Bd82a1B86156c6b.’ Specifically, it calls the contract ‘getString’ method, passing ‘0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84’ as a parameter to retrieve its [command-and-control] C2 server address,” Checkmarx explained.
“By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications.”
This provides the threat actors with greater agility. Rather than hardcoding C2 server addresses in the malware, they simply update the smart contract whenever needed to point to a new server. Thus, even if network defenders block one C2 server, their adversaries can simply switch to a new one by updating the contract.
“The discovery of ‘jest-fet-mock’ reveals how threat actors are finding different ways to compromise the software supply chain,” Checkmarx concluded.
“This case serves as an important reminder for development teams to implement strict security controls around package management and carefully verify the authenticity of testing utilities, especially those requiring elevated privileges.”
