NPM supply chain attack uses Ethereum blockchain

  • Home
  • Blog
  • NPM supply chain attack uses Ethereum blockchain
NPM supply chain attack uses Ethereum blockchain

Checkmarx Researchers Uncover Unique Supply Chain Attack in NPM Using Ethereum Blockchain

Checkmarx researchers have identified a distinctive supply chain attack within the NPM ecosystem, leveraging the Ethereum blockchain for its operations. The malicious package, named “jest-fet-mock,” employs multi-platform malware and utilizes Ethereum smart contracts for command-and-control (C2) activities, marking a new convergence between blockchain technology and traditional cyberattack methods—an approach not previously seen in NPM packages.

Attack Mechanics and Distribution

The “jest-fet-mock” package masquerades as a legitimate JavaScript testing utility, first detected in mid-October. It cleverly conceals its malicious intent by mimicking two established packages: “fetch-mock-jest,” which receives about 200,000 downloads weekly, and “Jest-Fetch-Mock,” which attracts approximately 1.3 million weekly downloads.

The attackers employed a typosquatting strategy, altering “fetch” to “fet” while retaining the recognizable components “jest” and “mock” to mislead developers into downloading the compromised package.

Once installed, the package takes advantage of NPM preinstall scripts to execute harmful code. The malware specifically targets development infrastructures, executing information-stealing functions across Windows, Linux, and macOS environments, and establishing persistence through tailored mechanisms. All variants of the malware maintain a connection to the attackers’ C2 server, ensuring ongoing communication for further exploitation.

Ethereum Blockchain Command-and-Control

A critical feature of this supply chain attack is the use of the Ethereum blockchain for command-and-control operations. The relevant Ethereum smart contract, found at the address “0xa1b40044EBc2794f207D45143Bd82a1B86156c6b,” uses its “getString” method to distribute C2 server addresses. By leveraging the blockchain’s inherent decentralization and immutability, the attackers have built a resilient infrastructure that is difficult to dismantle or intercept, thereby enhancing the persistence and adaptability of their malicious campaign.

Ripple Effect and Countermeasures

Checkmarx researchers discovered malware variants tailored for each major operating system:

  • Windows: SHA-256: df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba
  • Linux: SHA-256: 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17
  • macOS: SHA-256: 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653

None of these variants have been flagged as malicious by existing security solutions on VirusTotal, which presents a significant threat to development environments where such tools are commonly trusted and integrated into CI/CD pipelines.

By infiltrating development and testing utilities, these attackers could potentially gain control over critical CI/CD and build systems, posing a severe risk to software supply chains. The innovative use of blockchain for command-and-control functions signals a shift in supply chain attack methodologies, making traditional detection and mitigation strategies less effective.

With additional malicious packages linked to this campaign already reported by Phylum and Socket, the threat landscape continues to grow.

This incident serves as a critical reminder for development teams to thoroughly review package management practices, verify the legitimacy of testing utilities, and implement robust security measures to protect their environments.