A software supply chain attack has breached Maven Central, allowing attackers to distribute malware by impersonating a trusted Jackson JSON library.
The campaign highlights how even subtle naming tricks can undermine developer trust and quietly introduce malicious code into production environments.
The attackers have “… gone to great lengths to do a multi-staged payload, with encrypted configuration strings, a remote command-and-control server delivering platform-specific executables, and multiple layers of obfuscation designed to frustrate analysis,“ said Aikido researchers.
Inside the Jackson Typosquatting Supply Chain Attack
The attack relies on typosquatting and namespace impersonation. The malicious package name differs from the legitimate one by only a single namespace element, making it easy to overlook.
To further legitimize the operation, attackers registered a lookalike domain, fasterxml[.]org, mimicking the legitimate fasterxml[.]com project domain.
WHOIS records show the domain was registered just days before the malware was discovered, a tactic commonly used to evade early detection.
Once included as a dependency, the malware executes automatically in Spring Boot environments.
When the application starts, Spring scans for @Configuration classes and triggers JacksonSpringAutoConfiguration, allowing the malicious code to run without any explicit invocation by the developer.
The malware checks for ApplicationRunner.class to confirm it is running in a Spring Boot environment, ensuring consistent execution.
To evade analysis, the attackers heavily obfuscated the code inside the JAR file.
Aikido researchers observed techniques designed to confuse both human reviewers and machine learning–based analysis tools, including Unicode abuse and prompt injection–style noise.
After deobfuscation, the code was revealed to be a trojan downloader that contacts a remote command-and-control (C2) server to retrieve additional payloads.
The malware fingerprints the host operating system and downloads platform-specific binaries using AES-encrypted configuration data.
Analysis of these payloads confirmed that Linux and macOS variants are Cobalt Strike beacons, a tool frequently abused by ransomware groups and advanced persistent threat (APT) actors for remote access, credential theft, and lateral movement.
Mitigating Risk in the Software Supply Chain
Software supply chain attacks increasingly target trusted open-source ecosystems, making dependency hygiene and build security priorities for development teams.
Once a malicious package is introduced, it can quickly spread across applications, pipelines, and environments.
The following actions focus on reducing the risk of compromised dependencies, improving detection of malicious behavior, and limiting the impact of supply chain threats.
- Audit Java projects and dependency trees for unfamiliar packages, remove suspicious dependencies, and rebuild applications from known-good sources.
- Enforce strict dependency controls by pinning versions, using allowlists, verifying checksums or signatures, and restricting builds to trusted repository mirrors.
- Use software composition analysis and behavioral monitoring to detect anomalous dependencies, unexpected class loading, or unusual network activity.
- Harden CI/CD pipelines and developer environments by applying least-privilege access, limiting internet connectivity, and monitoring build-time execution.
- Implement runtime and endpoint protections, such as EDR or application-level monitoring, to detect unauthorized binary execution or outbound connections.
- Strengthen governance and preparedness by testing incident response plans and regularly reviewing dependencies.
Together, these controls help reduce supply chain risk, improve visibility into malicious dependencies, and limit the blast radius if a compromise occurs.
The Growing Risk of Open-Source Supply Chains
This incident highlights a broader shift in attacker strategy toward abusing the software supply chain and the inherent trust placed in open-source ecosystems.
Modern development pipelines rely heavily on automation, frequently introducing dependencies with limited manual oversight.
This allows a single malicious package to rapidly propagate across hundreds of applications, amplifying the impact of what might otherwise be a localized compromise.
As attacks like this become more common, securing the software supply chain has become a critical focus for organizations that rely on open-source dependencies at scale.





