Security researchers claim to have discovered the first-ever open source supply chain attack combining blockchain technology with traditional attack vectors.
Checkmarx said it found the malicious “jest-fet-mock” package on npm. It spoofs two legitimate and widely used JavaScript testing utilities: “fetch-mock-jest” and “Jest-Fetch-Mock.”
“The attacker used a classic typosquatting technique by misspelling ‘fetch’ as ‘fet’ while maintaining the key terms ‘jest’ and ‘mock,’” it wrote.
“Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments.”
Read more on open source threats: Npm Packages Used to Distribute Phishing Links
However, the really novel part of the attack chain comes once the victim downloads the malicious package.
“When executed, the malware interacts with a smart contract at address ‘0xa1b40044EBc2794f207D45143Bd82a1B86156c6b.’ Specifically, it calls the contract ‘getString’ method, passing ‘0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84’ as a parameter to retrieve its [command-and-control] C2 server address,” Checkmarx explained.
“By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications.”
This provides the threat actors with greater agility. Rather than hardcoding C2 server addresses in the malware, they simply update the smart contract whenever needed to point to a new server. Thus, even if network defenders block one C2 server, their adversaries can simply switch to a new one by updating the contract.
“The discovery of ‘jest-fet-mock’ reveals how threat actors are finding different ways to compromise the software supply chain,” Checkmarx concluded.
“This case serves as an important reminder for development teams to implement strict security controls around package management and carefully verify the authenticity of testing utilities, especially those requiring elevated privileges.”