Keypoints
- First observed use of an Ethereum smart contract to deliver C2 server addresses for an npm-based supply chain attack.
- Attack relied on typosquatting, impersonating popular JavaScript testing packages by misspelling “fetch” as “fet”.
- Malware is multi-platform, with distinct payloads for Windows, Linux, and macOS.
- Malicious code executes via npm preinstall scripts and spawns a detached process to continue running.
- Capabilities include system reconnaissance, credential theft, and platform-specific persistence (AutoStart files on Linux, LaunchAgents on macOS).
- No security vendors had flagged the identified payloads on VirusTotal at the time of analysis, increasing the immediate risk to developer infrastructure.
MITRE Techniques
- [T1071] Command and Control – Uses Ethereum smart contracts to retrieve C2 addresses and maintain communication (‘Utilizes Ethereum smart contracts to maintain communication with compromised systems.’)
- [T1195] Supply Chain Compromise – Distributes malware through typosquatted npm packages that mimic legitimate testing utilities (‘Leverages typosquatting to distribute malware through legitimate-looking packages.’)
- [T1003] Credential Dumping – Performs credential theft during its operation to steal sensitive data (‘Performs credential theft during its operation.’)
- [T1547] Persistence – Establishes persistence using platform-specific mechanisms such as AutoStart entries and macOS LaunchAgents (‘Establishes persistence through platform-specific methods on infected systems.’)
- [T1082] System Information Discovery – Conducts reconnaissance to collect system information that informs further actions (‘Conducts reconnaissance to gather system information.’)
Indicators of Compromise
- [IP/URL] C2 and payload hosting – hxxp[:]//193[.]233[.]201[.]21:3001, hxxp[:]//193[.]233[.]201[.]21:3001/node-win.exe
- [File names] Downloaded platform binaries – node-win.exe, node-linux, node-macos
- [File hashes] Platform payload hashes – df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba, 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17, and 1 more hash
- [Ethereum smart contract] Blockchain C2 reference – smart contract at 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b used to retrieve C2 addresses
The “jest-fet-mock” package was a deliberate typosquatting attempt that impersonated popular testing utilities to trick developers into installing a malicious npm module. During installation the package runs a preinstall script that detects the host OS, queries an Ethereum smart contract for the current C2 address, then downloads and launches a platform-specific payload that runs independently of the installer.
What makes this campaign novel is the use of an Ethereum smart contract as a decentralized bulletin board for C2 addresses: the malware calls the contract’s getString method to retrieve the server location, allowing the attacker to change destinations without updating the malicious package. This design leverages blockchain immutability to make takedowns and blocking more difficult for defenders.
The payloads include Windows, Linux, and macOS variants that perform system reconnaissance, credential theft, and persistence via platform-appropriate mechanisms (AutoStart entries, LaunchAgents, etc.). Because the compromised packages target developer tooling and CI/CD pipelines and the samples were not flagged on VirusTotal at the time of reporting, organizations should tighten package validation, restrict elevated privilege execution during installs, and monitor developer environments for suspicious preinstall activity and unexpected network calls to unfamiliar hosts.