‘Package confusion’ attack against NPM used to trick developers into downloading malware



In other words, there is no single address, IP, or server to block. That said, there are downsides to the technique that are not mentioned by Checkmarx, including the fact that blockchain communication is slow, as well as public. The blockchains can’t be edited, or blocked easily, but they can be tracked once their use as part of malware C2 has been uncovered. 

Despite past predictions that the technique would take off, this is probably why using blockchains for C2 remains the experimental preserve of specialist malware.

Package confusion

Perhaps the more significant part of the story is that the technique is being used to target testing tools distributed via NPM, the largest open source JavaScript registry. Targeting testing tools is another way to get inside the privileged developer testing environments, and any deeper access to the CI/CD pipelines that they reveal.



Source link