Last week, the Akido team identified a unique and sophisticated attack on the Java ecosystem : a malicious package published on Maven Central, disguised as a legitimate extension of the popular Jackson JSON library.
The package, called org.fasterxml.jackson.core/jackson-databind, mimicked the namespace of the original library (com.fasterxml.jackson.core) — a technique known as typosquatting. This practice exploits small variations in trusted names to deceive users and developers. In this case, the simple replacement of com with org was enough to appear legitimate to the untrained eye.
- Fake namespace:
org.fasterxml.jackson.core(the legitimate one iscom.fasterxml.jackson.core) - Fake domain:
fasterxml.org(the legitimate one isfasterxml.com)
The domain
The domain fasterxml.org, created to mimic another legitimate one, was registered on December 17, 2025, just eight days before its discovery by Aikido. WHOIS data indicates that the registration was done through GoDaddy and was updated on December 22, which points to the active preparation of the malicious infrastructure in the days leading up to its use.
This short interval between domain registration and its effective use is typical of malware campaigns: attackers set up the infrastructure shortly before operation to reduce the chances of detection and inclusion on blocklists. Since the legitimate Jackson library has used the fasterxml.com domain for over ten years, the .org variation becomes a simple and effective way to impersonate it, with high potential returns for criminals.
Why does this matter?
By adding this dependency to the file pom.xml, the developer believed they were using a safe feature. In reality, they were opening the door to a Trojan Downloader capable of:
- Contact a command and control (C2) server.
- Download and run payloads specific to Windows, macOS, and Linux.
- Establish persistence in the system.
The malicious binaries were identified as Cobalt Strike beacons, a tool commonly used by advanced groups for remote control, lateral movement, and targeted attacks.
The danger of typosquatting.
This attack is a typical example of how small differences can cause big problems. Just like with fake domains ( fasterxml.org vs fasterxml.com ), swapping prefixes in Java namespaces is a vulnerability that has been little exploited — until now.
How can I protect myself?
- Carefully check namespaces and domains before adding dependencies.
- Use security analysis tools to detect suspicious packets.
- Push for preventative measures in repositories, such as similarity detection and extra verification for popular namespaces.
The Java ecosystem has always been considered secure against supply chain attacks, but this incident serves as a warning.
Want to know if your brand is already being used on suspicious domains?
Solutions like Observster allow you to quickly identify potentially fraudulent registrations before they escalate into scams or real losses. The first step to protecting your brand starts with observation.
