Blockchain-Enabled Malware Used in Latest Supply Chain Attack

In a new development in supply chain attacks, attackers are targeting Node Package Manager (NPM) packages used in developer testing environments. John E. Dunn, writing in InfoWorld, reports that the hackers embed blockchain-enabled malware by exploiting typosquatting for command and control (C2).

The campaign impersonates popular NPM packages, such as those for Jest JavaScript testing, by creating similar-sounding malicious packages that, when downloaded, connect to a smart contract on the Ethereum blockchain. 

This blockchain-based technique allows attackers to retrieve malicious payloads while evading traditional cybersecurity measures that rely on centralized IP or server addresses.

The attack targets widely used testing packages like “fetch-mock-jest” and “Jest-Fetch-Mock” by distributing a look-alike malicious package, “jest-fet-mock.”

The strategy is to exploit hurried developers who might overlook the minor misspellings and install the compromised package. Unlike typical malware that relies on easily-disrupted centralized servers for C2, the blockchain’s decentralized nature offers attackers a resilient infrastructure resistant to takedowns.

While experimental due to blockchain’s public and slower communication channels, the technique enables sustained access to infected environments by evading easy detection or removal.

Aside from its novelty, this attack highlights a growing trend in NPM-related threats. Attackers increasingly target tools essential to continuous integration/continuous deployment (CI/CD) processes, such as testing libraries, to gain privileged access to developer environments.

Phylum, Socket, and other cybersecurity firms have reported an array of such attacks on NPM, documenting hundreds of malicious packages across libraries like Puppeteer and Bignum.js that similarly exploit typosquatting.

These attacks underscore the need for heightened security protocols around supply chains. Developers should adopt proactive measures, such as scrutinizing package names and using tools that verify package integrity before deployment.

As AI and machine learning tools become integral to coding, additional risks like “package hallucination” attacks, where AI-generated code introduces non-existent packages, should also be on the radar. This emerging threat, documented by recent research, poses challenges in anticipating and mitigating supply chain vulnerabilities.

Legal and development teams should collaborate to enhance package security reviews and maintain awareness of evolving tactics in their supply chain cybersecurity protocol.