A new malware campaign has successfully infiltrated Maven Central, one of the most trusted repositories for Java developers, by masquerading as a legitimate Jackson JSON library extension.
The malicious package, published under the org.fasterxml.jackson.core/jackson-databind namespace, represents one of the first instances of sophisticated malware discovered on Maven Central through a typosquatting attack.
This attack takes advantage of a clever namespace confusion, where the legitimate Jackson library operates under com.fasterxml.jackson.core while the malicious version uses org.fasterxml.jackson.core.
The subtle difference between these namespaces makes it easy for developers to accidentally include the harmful package in their projects.
The malware campaign shows clear signs of careful planning and execution. Attackers created a fake domain, fasterxml.org, to mirror the legitimate fasterxml.com, using the same .com to .org swap strategy seen in the package namespace.
The domain was registered on December 17, 2025, just eight days before Aikido analysts identified the threat. This short window between domain registration and deployment is a common pattern in malware operations, designed to reduce the chances of early detection and blocklisting.
.webp "Hackers Infiltrated Maven Central Masquerading as a Legitimate Jackson JSON Library 3")
The package was reported to Maven Central and taken down within 1.5 hours of discovery, but not before it could potentially compromise developer systems.
After the second paragraph, Aikido analysts noted that the malware employs multiple layers of obfuscation to hide its true purpose.
The code inside the jar file appears heavily scrambled, with attempts to confuse even machine learning-based analysis tools through prompt injection techniques.
When opened in editors that do not escape Unicode characters properly, the code displays significant noise that makes manual inspection difficult.
However, after careful examination, the research team successfully deobfuscated the malicious code, revealing its true function as a trojan downloader that contacts a command-and-control server and executes harmful payloads on infected systems.
Infection Mechanism and Payload Delivery
The malware operates through a seven-stage infection process that begins when a developer adds the malicious dependency to their pom.xml file.
Once included, the package automatically executes when a Spring Boot application starts, as Spring scans for @Configuration classes and discovers JacksonSpringAutoConfiguration.
The malware checks for ApplicationRunner.class, which is always present in Spring Boot environments, ensuring the malicious code runs without requiring any explicit calls from the developer.
The infection mechanism includes a persistence check where the malware searches for a file named .idea.pid in the working directory.
This filename cleverly blends in with IntelliJ IDEA project files, making it less suspicious to developers who might notice unusual files in their project structure.
The malware then performs environment fingerprinting by checking System.getProperty(“os.name”) to determine whether the system runs Windows, macOS, or Linux. This information is used to download the appropriate payload for the detected operating system.
Command-and-control communication occurs via “http[:]//m[.]fasterxml[.]org:51211/config[.]txt, which delivers AES-encrypted configuration data.
.webp "Hackers Infiltrated Maven Central Masquerading as a Legitimate Jackson JSON Library 4")
The malware uses a hardcoded AES-ECB key (9237527890923496) to decrypt the payload URLs for each supported platform. The decrypted format follows an os|url pattern, such as win|http[:]//103.127.243[.]82:8000/http/192he23/svchosts.exe for Windows systems.
After downloading the binary as payload.bin to the system temp directory, the malware executes it while redirecting output to /dev/null on Unix systems or NUL on Windows to suppress any visible activity.
The Windows payload deliberately uses the name svchosts.exe, a typosquat of the legitimate svchost.exe process, to avoid detection.
Analysis of the downloaded payloads through VirusTotal confirms that the Linux and macOS binaries are Cobalt Strike beacons, a powerful penetration testing tool often used by ransomware operators and advanced persistent threat groups for remote access, credential theft, and lateral movement across networks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
