Checkmarx, an application testing company, has recently issued a warning to developers about a new type of malicious attack targeting the NPM ecosystem. This attack takes advantage of typosquatting, where a malicious package with a name resembling a popular NPM package is used to deceive developers. The targeted packages are part of the Jest JavaScript testing framework, specifically “fetch-mock-jest” and “Jest-Fetch-Mock.” The attacker has created a nearly identical package, “jest-fet-mock,” hoping that developers will download it in haste, overlooking the subtle misspelling.
This attack represents part of a broader campaign against NPM, but with a unique twist. Unlike traditional attacks that rely on command and control (C2) servers, this malicious package utilizes the Ethereum blockchain to store the addresses of the malicious payloads. This blockchain-based approach helps the attackers obscure the location of their malicious infrastructure, making it harder to disrupt. The use of the blockchain’s decentralized and immutable nature offers significant advantages for the attackers, as it becomes extremely difficult to block or shut down their infrastructure.
What makes this attack particularly innovative is the use of the Ethereum blockchain to manage the malware’s command and control mechanism. Once the malicious package is downloaded, it connects to a smart contract on the blockchain to retrieve the server address that holds the malware payload. This technique is not commonly seen in attacks against NPM but is becoming more popular in malware campaigns due to its ability to sidestep traditional security measures. The blockchain’s inherent characteristics make it an appealing tool for attackers looking to maintain persistence and evade detection.
While using the blockchain provides key benefits, there are still notable challenges for the attackers. The slow communication inherent in blockchain transactions and the public nature of the blockchain make it possible for investigators to trace and track these communications once they’ve been identified as part of a malicious campaign. Nevertheless, this method complicates traditional mitigation efforts, as there’s no single point of failure that can be easily blocked, such as an IP address or server. As blockchain technology becomes more integrated into malicious activity, it’s likely that developers and security professionals will need to adapt their strategies to address these evolving threats.