In a significant development in the cybersecurity landscape, the banking sector has recently been the target of two distinct open-source software (OSS) supply chain attacks. These attacks, detected by Checkmarx’s Supply Chain research team in the first half of 2023, have showcased advanced techniques and deceptive tactics, including the use of fake LinkedIn profiles and customized command and control (C2) centers for each target. This blog post provides a detailed overview of these attacks, their implications, and the need for industry-wide collaboration to strengthen defenses against such threats.

Attack Number One

On April 5th and 7th, a threat actor leveraged the NPM platform to upload packages containing a preinstall script that executed its malicious objective upon installation. The contributor behind these packages was linked to a LinkedIn profile page of an individual posing as an employee of the targeted bank. The attack involved multiple stages, including the identification of the victim’s operating system, decoding of encrypted files included in the NPM package, and downloading a second-stage malicious binary onto the victim’s system.

The attacker utilized Azure’s CDN subdomains to effectively deliver the second-stage payload, bypassing traditional deny list methods. The Havoc Framework, an advanced post-exploitation command and control framework, was used in the second stage of this attack.

Attack Number Two

In February 2023, a different bank was targeted by a separate group of cybercriminals. The threat actors uploaded a package to NPM containing a payload designed to blend into the website of the victim bank and lay dormant until prompted to action. The payload was designed to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.

Shifting Gears in the Perception of Supply Chain Security

These attacks underscore the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place. Organizations need to adopt a proactive, integrated security architecture, incorporating protective measures at every stage of the SDLC.


We anticipate a steady escalation in targeted attacks, including on banks. The need of the hour is to stay vigilant, continuously evolve our defenses, and stay a step ahead of the threat actors.

Indicators of Compromise (IOCs)

  • 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
  • d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
  • f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
  • 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
  • 79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf
  • hxxp[:]//*.azureedge[.]net/AnnyPhaedra.bin
  • hxxp[:]//*.azureedge[.]net/KellinaCordey.bin
  • hxxp[:]//*.azureedge[.]net/MidgeWileen.bin


The relevant MITRE ATT&CK TTPs for these attacks include:

Further Reading