North Korean Hackers Exploit Social Engineering to Compromise Axios npm Supply Chain
A significant cybersecurity breach has emerged involving the Axios npm package, confirming that a targeted social engineering campaign orchestrated by North Korean threat actors, identified as UNC1069, was responsible for the supply chain compromise. This incident highlights the vulnerabilities within open-source software ecosystems and the sophisticated tactics employed by cybercriminals.
The Attack Unfolds
Jason Saayman, the maintainer of the Axios npm package, detailed how the attackers meticulously crafted their approach. They initially contacted him while impersonating the founder of a legitimate, well-known company. Saayman noted that the attackers had cloned the company’s branding and even created a Slack workspace that appeared credible, complete with channels sharing LinkedIn posts.
Following this initial contact, the threat actors scheduled a meeting on Microsoft Teams. During the call, Saayman encountered a fabricated error message indicating that something on his system was outdated. When he attempted to address the issue, a remote access trojan was deployed, granting the attackers access to his npm account credentials. This breach allowed them to publish two trojanized versions of the Axios package, specifically versions 1.14.1 and 0.30.4, which contained a malicious implant named WAVESHAPER.V2.
Saayman remarked on the professionalism of the operation, stating, “Everything was extremely well coordinated, looked legit, and was done in a professional manner.”
Technical Overlaps and Broader Implications
The attack chain described by Saayman bears significant resemblance to tactics previously associated with UNC1069 and BlueNoroff, another group linked to North Korean cyber operations. Reports from cybersecurity firms Huntress and Kaspersky have documented similar campaigns, with Kaspersky referring to one such operation as GhostCall.
In these attacks, users are often presented with a misleading error message shortly after joining a call, prompting them to download a malicious SDK for Zoom or Teams. Depending on the victim’s operating system, this action can trigger the execution of either an AppleScript for macOS or a PowerShell script for Windows. One of the malicious payloads utilized in these attacks is a Nim-based macOS backdoor, or a Go variant for Windows, known as CosmicDoor. This backdoor is capable of deploying a comprehensive suite of credential-stealing tools, dubbed SilentSiphon, which targets various platforms including GitHub, GitLab, and npm.
As highlighted by Mandiant, a subsidiary of Google, some of these attacks have also facilitated the deployment of C++ malware named WAVESHAPER, which serves as a conduit for additional malicious tools, including HYPERCALL and SUGARLOADER.
The Evolving Threat Landscape
Security researcher Taylor Monahan noted the concerning trend of North Korean actors shifting their focus to open-source software maintainers. Historically, these attackers have targeted high-profile individuals such as cryptocurrency founders and venture capitalists. Monahan expressed concern over this evolution, stating, “This evolution to targeting [OSS maintainers] is a bit concerning.”
In response to the breach, Saayman has implemented several preventive measures, including resetting all devices and credentials, establishing immutable releases, and updating GitHub Actions to adhere to best practices. These steps are crucial in safeguarding against future attacks, particularly as open-source project maintainers increasingly become targets for sophisticated cyber threats.
The Impact of the Axios Compromise
With Axios attracting nearly 100 million weekly downloads and being widely utilized across the JavaScript ecosystem, the potential impact of such a supply chain attack is extensive. Ahmad Nassri from Socket emphasized the challenges of assessing exposure in modern JavaScript environments, stating, “A package as widely used as Axios being compromised shows how difficult it is to reason about exposure in a modern JavaScript environment.”
The Axios incident is not an isolated event; it is part of a broader, coordinated campaign targeting high-impact open-source maintainers. Recent analyses indicate that several maintainers across the Node.js ecosystem have been approached in similar manners, suggesting a systematic effort to exploit vulnerabilities within this community.
Coordinated Campaigns Targeting Open Source
In a follow-up analysis, Socket reported that numerous maintainers within the Node.js ecosystem had been targeted as part of this coordinated social engineering campaign. The attack strategy typically involves building rapport over weeks, scheduling video calls, and then prompting the target to install a malicious “fix.” Socket CEO Feross Aboukhadijeh described this process, stating, “That fix is a RAT. Once it’s on your machine, they have your .npmrc tokens, browser sessions, AWS creds, and Keychain. 2FA doesn’t matter.”
Among the targeted individuals were notable figures such as Jordan Harband, who maintains ECMAScript polyfills, and John-David Dalton, the creator of Lodash. In one instance, a maintainer was invited to a fake podcast recording, where they were instructed to join a video call that turned out to be a fraudulent platform. When the maintainer refused to download a suspicious app, the attackers switched tactics, attempting to convince them to execute a command in the Terminal app.
Another targeted individual, Jean Burellier, experienced a similar approach, receiving a LinkedIn message from the attackers posing as a representative of a company named Openfort. After building trust, he was invited to join Slack workspaces, only to find himself in a private channel where he was prompted to join a fake Microsoft Teams call.
The accounts targeted in these operations span some of the most widely relied-upon packages in the npm registry, confirming that the Axios breach was not an isolated incident but part of a larger, scalable attack pattern aimed at high-trust, high-impact open-source maintainers.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
