Checkmarx uncovers npm supply chain attack using Ethereum smart contracts

Checkmarx has identified a new npm supply chain attack that uses Ethereum smart contracts for command-and-control operations. The malicious package, named “jest-fet-mock,” mimics two legitimate JavaScript testing tools through a typosquatting technique. Once downloaded, the malware interacts with a smart contract to retrieve the command-and-control server address. This method allows attackers to easily change their server locations, making it harder for defenders to block their operations. This discovery highlights the evolving tactics of threat actors in compromising software supply chains. It emphasizes the need for development teams to enhance security measures around package management and verify the authenticity of tools used in development environments.