Attackers gunning for supply chains again, deploying innovative blockchain technique to hide command & control.

Application testing company Checkmarx has warned developers to be on the lookout for malicious NPM packages, after discovering a new attack that employs typosquatting to impersonate two popular packages.

Part of a much larger campaign against NPM, in a new twist, the malicious package eschews traditional command & control (C2) by using the Ethereum blockchain to hold the addresses of its malicious payloads.

The campaign targets two popular NPM (Node Package Manager) packages used as part of the Jest JavaScript testing framework, "fetch-mock-jest" and "Jest-Fetch-Mock", using a malicious package with a similar-looking name, "jest-fet-mock".