Oddbean new post about | logout
 Supply Chain Attack Uses Smart Contracts for C2 Ops

Security researchers claim to have discovered the first-ever open source supply chain attack combining blockchain technology with traditional attack vectors.

“The attacker used a classic typosquatting technique by misspelling ‘fetch’ as ‘fet’ while maintaining the key terms ‘jest’ and ‘mock,’” it wrote.

“Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments.”

See more: https://www.infosecurity-magazine.com/news/supply-chain-attack-smart/

#cybersecurity #smartcontract #supplychainattack 
 Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages

An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware.

The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few days.

The activity was first flagged on October 31, 2024, although it's said to have been underway at least a week prior. No less than 287 typosquat packages have been published to the npm package registry.

See more: https://thehackernews.com/2024/11/malware-campaign-uses-ethereum-smart.html

nostr:nevent1qqsq8w6hg6zau75efs45zj03v7us74xm4pawuu69ng0flrczffr9j2cpz4mhxue69uhhyetvv9ujumn0wd68ytnzvuhsygqkl5n0qqz57es4r34a0yj7mm6ptpss8tce63zlj0mx7h3ykdzz0gpsgqqqqqqsy4r3nr

#cybersecurity #c2 #smartcontracts