Checkmarx researchers have detected a unique supply chain attack within the NPM ecosystem that uses the Ethereum blockchain.
The malicious package, dubbed “jest-fet-mock,” targets developers with cross-platform malware using Ethereum smart contracts for command and control (C2) operations. This marks a convergence of blockchain technology with traditional attack vectors, a method not yet seen in NPM packages.
Attack Mechanisms and Distribution
The “jest-fet-mock” package, masquerading as a reliable JavaScript testing utility, was first spotted in mid-October. It hides its true intention behind a carefully crafted facade by imitating two legitimate packages: “fetch-mock-jest”, which garners around 200,000 downloads per week, and “Jest-Fetch-Mock”, reaching around 1.3 million downloads weekly.
Using a typosquatting technique, the attackers misspelled “fetch” as “fet”, while preserving the key elements “jest” and “mock”, to trick developers into downloading it.
During installation, the package leverages NPM preinstallation scripts to activate malicious code. This malware specifically targets development frameworks by executing information-stealing functions in Windows, Linux, and macOS environments, thereby consolidating persistence through custom system mechanisms.
All variants reconnect to the attackers’ C2 server, maintaining consistent communication for further exploitation.
Command and control of the Ethereum blockchain
A notable aspect of this supply chain attack is its use of the Ethereum blockchain for C2 operations. The Ethereum smart contract, located at “0xa1b40044EBc2794f207D45143Bd82a1B86156c6b,” uses its “getString” method to broadcast C2 server addresses.
By exploiting the immutability and decentralization inherent in blockchain, attackers have created a resilient infrastructure – difficult to eliminate or intercept – thereby improving the persistence and adaptability of their malicious campaign.
Ripple effect and countermeasures
After analysis, Checkmarx researchers identified malware variants suitable for each operating system:
- Windows: (SHA-256: df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba)
- Linux: (SHA-256: 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17)
- macOS: (SHA-256: 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653)
None of these variants have been identified as malicious by existing security solutions on VirusTotal. This anonymity poses a significant threat to development environments, where these utilities are widely trusted and integrated into CI/CD pipelines.
By breaching development and testing utilities, these attackers can potentially take control of crucial CI/CD and build systems, posing a serious risk to software supply chains. The campaign’s innovative use of blockchain for C2 operations signifies an evolution in supply chain attack strategies, making traditional detection and mitigation approaches less effective.
With additional malware packages linked to this campaign already reported by Phylum and Socket, the threat continues to intensify.
This latest incident serves as a crucial warning for development teams who must rigorously review package management practices, confirm the legitimacy of testing utilities, and implement robust security measures to protect their environments.
For those interested in the full list of packages identified as part of this campaign, they can be viewed here.
(Photo by Joshua Hoehne)
See also: EMERALDWHALE exploits vulnerable Git configuration files
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California and London. This comprehensive event is co-hosted with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Check out more upcoming enterprise technology events and webinars from TechForge here.
