NPM supply chain attack uses Ethereum blockchain

Photo of a chain illustrating the discovery of a malware campaign that takes advantage of the npm packages ecosystem for a software supply chain attack and uses the Ethereum blockchain for resilience against cyber security detection and mitigation strategies.

Checkmarx researchers have detected a unique supply chain attack within the NPM ecosystem that uses the Ethereum blockchain.

The malicious package, dubbed "jest-fet-mock," targets developers with a multi-platform malware employing Ethereum smart contracts for command-and-control (C2) operations. This marks a convergence of blockchain technology with traditional attack vectors—a method not yet observed in NPM packages. 

Attack mechanics and distribution

The...

4 November 2024 | Blockchain

Entry points threaten multiple open-source ecosystems

Sign illustrating how vulnerabilities with entry points can be exploited by hackers to threaten open-source packages of multiple programming ecosystems.

While current tools have improved at detecting common tactics for exploiting open-source packages, a feature remains largely overlooked: entry points.

Security researchers at Checkmarx uncovered how attackers can leverage entry points across multiple programming ecosystems, with a particular focus on PyPI, to trick victims into running malicious code. This method – while not allowing for immediate system compromise – offers a subtler approach for patient attackers to...

14 October 2024 | Developer

Roblox developers targeted by year-long malware campaign

A sustained malware campaign targeting Roblox developers through malicious npm packages has been uncovered by Checkmarx security researchers. The attackers are impersonating the popular “noblox.js” library, publishing dozens of packages designed to steal sensitive information and compromise systems.

The campaign, which has been active for over a year, exploits trust in the open-source ecosystem. It particularly targets the Roblox platform, a lucrative target due to its massive...

2 September 2024 | Development Tools

North Korean hackers target developers in latest npm attack wave

A fresh offensive by suspected North Korean hacking groups has targeted the open-source software community with a series of malicious packages uploaded to the npm repository.

Identified by cybersecurity firm Phylum, the attacks leverage multiple techniques and appear designed to steal cryptocurrency and sensitive data from unsuspecting developers.

The campaign began on 12th August and involves several distinct publication patterns and attack types, suggesting the...

29 August 2024 | Developer

Images weaponised in latest supply chain attack

A series of malicious packages disguised as legitimate software have been discovered in the npm registry by cybersecurity firm Phylum.

The packages – identified on 13 July 2024 – contained hidden command and control functionality embedded within image files, executed during the installation process.

Phylum researchers uncovered two packages in this campaign, with one named "img-aws-s3-object-multipart-copy" mimicking a legitimate GitHub library. The malicious version...

16 July 2024 | Hacking & Security

Checkmarx uncovers supply chain attacks targeting banking

Checkmarx has uncovered a new and sophisticated cyber threat targeting the banking sector.

The security testing firm's research team detected two distinct open-source software supply chain attacks targeting financial institutions. These attacks, which involved advanced techniques and deceptive tactics, have raised alarm bells among cybersecurity experts.

Attack one: NPM

The first attack occurred on April 5th and 7th when a threat actor exploited the NPM platform,...

21 July 2023 | Hacking & Security

Sonatype uncovers further malicious PyPI and npm packages

Sonatype continues to uncover a significant number of malicious packages within the PyPI and npm software registries.

Among the flagged packages were several Python packages published on PyPI, masquerading as legitimate libraries named after the popular npm "colors" library.

The malicious packages, including names such as "broke-rcl," "brokescolors," and "trexcolors," exclusively targeted the Windows operating system. Once installed, these packages would initiate the...

23 June 2023 | Developer

Malware campaign targets official Python and JavaScript repos

An active malware campaign is targeting official Python and JavaScript repositories.

Software supply chain security firm Phylum spotted the campaign. Phylum said that it discovered the campaign after noticing a flurry of activity around typosquats of the popular Python requests package.

Typosquats take advantage of simple typos to install malicious packages.

In this case, the PyPI typos include: dequests, fequests, gequests, rdquests, reauests, reduests,...

13 December 2022 | Hacking & Security

GitHub notifies victims of OAuth token theft

GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.

OAuth user tokens maintained by Heroku and Travis CI were stolen and abused by an unauthorised party to download data from dozens of organisations, including npm.

Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:

“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and...

19 April 2022 | Git

Large-scale supply chain attack used 218 malicious NPM packages

A large-scale supply chain attack has been uncovered that used 218 malicious NPM packages.

Researchers from JFrog claim that several of their automated analysers started throwing up alerts regarding a set of packages in the npm registry earlier this week.

Over a few days, the number of packages swelled from around 50 packages to more than 200 (as of March 21st).

The researchers manually analysed the packages and found that it was a targeted attack against the...

24 March 2022 | Hacking & Security