A suspected North Korean hacker has hijacked the popular open-source software development tool Axios to deliver malware, potentially putting millions of developers at risk. The widely used JavaScript library, which allows software to connect to the internet, was modified to distribute a remote access trojan.
The malicious versions of the library were hosted on npm, a software repository that stores code for open-source projects. Axios is typically downloaded tens of millions of times every week by developers worldwide.
The compromise was discovered and halted within approximately three hours overnight from Monday into Tuesday. Security firm StepSecurity was responsible for analyzing the attack and observing its containment.
Currently, it remains unclear exactly how many individuals downloaded the malicious version of Axios during that specific three-hour window. However, security company Aikido, which also investigated the incident, advised that anyone who downloaded the compromised code “should assume their system is compromised.”
Google’s security researchers have linked the incident to North Korean threat actors. John Hultquist, the chief analyst for Google’s Threat Intelligence Group, attributed the attack to a suspected group tracked as UNC1069.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” Hultquist stated. “The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”
The hacker breached the project by compromising the account of one of Axios’s primary developers, who possessed the authorization to push out updates. The attacker then replaced the legitimate developer’s email address with their own, impeding the developer’s ability to regain access to the account.
Once in control, the hacker inserted malicious code designed to deliver a remote access trojan, essentially granting them full, remote control over a victim’s computer. These new, malicious versions of Axios were pushed out disguised as legitimate updates for Windows, macOS, and Linux users.
To evade detection from anti-malware engines and investigators, the hackers designed both the malware and its delivery code to automatically delete itself immediately after installation.
This incident is classified as a supply chain attack, a method where hackers target software developers to mass-hack anyone relying on the compromised code. In recent years, similar widespread breaches have targeted companies such as 3CX, Kaseya, and SolarWinds, along with open-source tools like Log4j and Polyfill.io.