3rd Party Risk Management,
Application Security,
Cyberwarfare / Nation-State Attacks
Expect Fallout After Remote Access Trojan Added to Popular JavaScript NPM Package
In a significant breach of software integrity, security researchers have revealed that a recent supply-chain attack compromised the widely utilized JavaScript library Axios, embedding a remote access Trojan (RAT) into its updates. Experts strongly believe that this operation has links to North Korean cyber activities.
Axios, which is renowned for simplifying HTTP requests in JavaScript, is downloaded over 100 million times each week, emphasizing its critical role in the development ecosystem. This package is a key component within the Node Package Manager (npm) found in the JavaScript runtime environment Node.js, which is maintained on GitHub.
The attack on Axios has been traced back to a “hijacked maintainer account” of the library. In an alarming oversight, attackers were able to publish malicious versions of the Axios library—specifically 1.14.1 and 0.30.4—by injecting a hidden dependency that deploys a cross-platform RAT. According to insights provided by StepSecurity, a platform dedicated to preventing supply-chain attacks, developers who have installed these versions must treat their systems as compromised.
Remarkably, threat researchers at Google have pinpointed a precise timeline for the attack, indicating that it unfolded during the early hours on a Tuesday, between 00:21 to 03:20 UTC. Insights shared by Google identified a threat group with alleged affiliations to North Korea, classified under the name UNC1069, as responsible for this breach. The group’s modus operandi aligns closely with previous malware activities they have undertaken, particularly emphasizing a variant called WaveShaper, which has been linked to prior attacks.
As the implications of this incident unfold, experts warn that the fallout may be far-reaching. Axios is integral to numerous software applications ranging from web and mobile apps to Software-as-a-Service (SaaS) platforms. The pervasive nature of this tool raises concerns over potential interference in various projects, as noted by cybercrime analyst Alan Woodward, who highlighted the uncertain “blast radius” of the attack.
Stealthy Attack Mechanism
The attack has been described as remarkably stealthy and effectively orchestrated. Notably, there were “zero lines of malicious code” contained directly within Axios, underpinning why this operation poses substantial risks. The poisoned releases introduced a false dependency named plain-crypto-js@4.2.1, which had no prior usage in Axios’s source code. This deceptive tactic allowed a post-install script to run, deploying the RAT across multiple platforms including macOS, Windows, and Linux.
The design of the malware was meticulous; it contacted a live command-and-control server and then deployed the secondary payloads while self-destructing any traces of its activity. Consequently, developers inspecting their installation directories following the breach would find no indications of compromise.
Experts have commended the strategic targeting of this attack. The repercussions are expected to affect countless other popular packages that rely on Axios, constituting a proliferation of vulnerabilities across various software ecosystems.
Compromised Maintainer Account
A particularly alarming aspect of this breach was the method by which the attackers gained access to the Axios maintainer’s account. Jay Saayman, one of Axios’s maintainers, reported being socially engineered by individuals masquerading as interested collaborators. This manipulation reportedly involved a sophisticated phishing attack that exploited session tokens despite the presence of two-factor authentication. Once the attackers secured access to the account, they modified the email address associated with the maintainer account, giving them unfettered control to disable security measures and publish harmful updates.
Investigations suggest that the group known as UNC1069, which has been active since 2018, is notorious for targeting cryptocurrency-related entities, indicating a broader strategic interest in financial theft.
Cascade of Security Breaches
Interestingly, this attack does not appear to correlate with other recent supply-chain breaches linked to the TeamPCP hacking group, also known as UNC6780. TeamPCP has exhibited a predilection for targeting open-source software projects and has previously infiltrated various security tools, leading to the compromise of repository credentials and confidential information.
Collectively, the tactics of UNC1069 and TeamPCP unveil a troubling trend in cyber attacks, where the security infrastructure of numerous software environments has been jeopardized. Analysts stress that the cumulative impact of these incursions could circulate hundreds of thousands of stolen credentials, amplifying risks of further supply-chain assaults, ransomware incidents, and cryptocurrency heists.