Oddbean

Supply Chain Attack Uses Smart Contracts for C2 Ops Security researchers claim to have discovered the first-ever open source supply chain attack combining blockchain technology with traditional attack vectors. “The attacker used a classic typosquatting technique by misspelling ‘fetch’ as ‘fet’ while maintaining the key terms ‘jest’ and ‘mock,’” it wrote. “Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments.” See more: https://www.infosecurity-magazine.com/news/supply-chain-attack-smart/ #cybersecurity #smartcontract #supplychainattack

Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware. The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few days. The activity was first flagged on October 31, 2024, although it's said to have been underway at least a week prior. No less than 287 typosquat packages have been published to the npm package registry. See more: https://thehackernews.com/2024/11/malware-campaign-uses-ethereum-smart.html nostr:nevent1qqsq8w6hg6zau75efs45zj03v7us74xm4pawuu69ng0flrczffr9j2cpz4mhxue69uhhyetvv9ujumn0wd68ytnzvuhsygqkl5n0qqz57es4r34a0yj7mm6ptpss8tce63zlj0mx7h3ykdzz0gpsgqqqqqqsy4r3nr #cybersecurity #c2 #smartcontracts