Google links axios supply chain attack to North Korean group

Steven

Google links axios supply chain attack to North Korean group

Summary

Google Threat Intelligence Group (GTIG) and other researchers have attributed a recent supply chain compromise of the hugely popular npm package axios to a North Korean-aligned threat actor tracked as UNC1069. Security firms observed similarities between the backdoors used in this incident and WAVESHAPER, malware linked to prior North Korean campaigns.

Attackers published two malicious versions of axios on npm after hijacking the lead maintainer’s account. The malicious package delivered a multi-stage payload including a remote access trojan (RAT) capable of running arbitrary commands, exfiltrating data and persisting on infected machines. The malware impacted Windows, macOS and Linux, then removed itself and replaced the infected files with clean axios code to hide the compromise.

Researchers warned there were zero lines of malicious code inside axios itself — the threat relied on an injected dependency to deploy the RAT. Experts from Mandiant and others said the blast radius is wide given axios’s ubiquity, and that stolen credentials and secrets from these incidents will likely fuel further supply-chain attacks, ransomware and crypto theft.

The axios compromise follows a string of recent supply-chain incidents (including LiteLLM and 3CX) that highlight how fragile the software ecosystem is when a single maintainer account is abused.

Key Points

  • GTIG attributes the axios npm compromise to UNC1069, a North Korean-linked actor; other researchers corroborated the link.
  • Attackers published two malicious axios versions on npm after hijacking the lead maintainer’s account.
  • The malicious package installed a multi-stage payload and a RAT able to execute commands, exfiltrate data and persist across OSes (Windows, macOS, Linux).
  • The malware removed itself and restored legitimate axios files to evade detection, making post-incident assessment harder.
  • There were no malicious lines in axios itself; the attack used an added dependency to deliver the payload.
  • Security firms called this one of the most operationally sophisticated supply-chain attacks against a top-10 npm package.
  • Experts warn the incident expands the pool of stolen credentials and secrets, increasing chances of follow-on attacks such as ransomware, further supply-chain compromises and crypto heists.

Why should I read this?

Heads up — if you or your teams use axios (or anything that depends on it), this is not business-as-usual. The attackers hijacked one maintainer account and the malicious code lived on npm for hours, potentially reaching tens of thousands of builds. We’ve saved you the slog: skim the key points, then check your environments, rotate credentials, lock down maintainer accounts and scan deployments for unexpected dependencies.

Source

Source: https://therecord.media/google-links-axios-supply-chain-attack-north-korea