GoKawiilThe maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign linked to North Korean hackers.
This follows the threat actors compromising a maintainer account to publish two malicious versions of Axios (1.14.1 and 0.30.4) to the npm package registry, triggering a supply chain attack.
These releases injected a dependency named plain-crypto-js that installed a remote access trojan (RAT) on macOS, Windows, and Linux systems.
The malicious versions were available for roughly three hours before being removed, but systems that installed them during that period should be considered compromised, and all credentials and authentication keys should be rotated.
The Axios maintainers said they have wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
The Google Threat Intelligence Group has since linked this attack to North Korean threat actors tracked as UNC1069.
"GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor," explains Google.
"Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities."
Targeted in a social engineering attack
According to a post-mortem, the compromise began weeks earlier through a targeted social engineering attack on the project's lead maintainer, Jason Saayman.
... continue reading