- 코스피 200 기업 99.5%가 사기성 이메일 위험에 노출··· 포춘 1000 기업군과 대조적
- The best Mini LED TV I've tested isn't made by LG or TCL, and it's on sale for Black Friday
- The best Black Friday soundbar and speaker deals: Save on Bose, Sonos, Beats, and more
- You can buy Samsung's Frame TV at up to $1,300 off for Black Friday - multiple sizes in stock
- Best Black Friday gaming PC deals 2024: Live sales on prebuilt PCs, GPUs, monitors, and more
Supply Chain Attack Uses Smart Contracts for C2 Ops
Security researchers claim to have discovered the first-ever open source supply chain attack combining blockchain technology with traditional attack vectors.
Checkmarx said it found the malicious “jest-fet-mock” package on npm. It spoofs two legitimate and widely used JavaScript testing utilities: “fetch-mock-jest” and “Jest-Fetch-Mock.”
“The attacker used a classic typosquatting technique by misspelling ‘fetch’ as ‘fet’ while maintaining the key terms ‘jest’ and ‘mock,’” it wrote.
“Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments.”
Read more on open source threats: Npm Packages Used to Distribute Phishing Links
However, the really novel part of the attack chain comes once the victim downloads the malicious package.
“When executed, the malware interacts with a smart contract at address ‘0xa1b40044EBc2794f207D45143Bd82a1B86156c6b.’ Specifically, it calls the contract ‘getString’ method, passing ‘0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84’ as a parameter to retrieve its [command-and-control] C2 server address,” Checkmarx explained.
“By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications.”
This provides the threat actors with greater agility. Rather than hardcoding C2 server addresses in the malware, they simply update the smart contract whenever needed to point to a new server. Thus, even if network defenders block one C2 server, their adversaries can simply switch to a new one by updating the contract.
“The discovery of ‘jest-fet-mock’ reveals how threat actors are finding different ways to compromise the software supply chain,” Checkmarx concluded.
“This case serves as an important reminder for development teams to implement strict security controls around package management and carefully verify the authenticity of testing utilities, especially those requiring elevated privileges.”
