Google links axios supply chain attack to North Korean group

Hackers connected to North Korea are responsible for the recent compromise of a wildly popular library used in both front-end apps and back-end systems, according to new researcher. 

On Monday evening, news emerged that hackers launched a supply chain attack targeting the HTTP client axios, which is downloaded 100 million times each week and embedded across frontend frameworks, backend services and enterprise applications.

Google Threat Intelligence Group (GTIG) joined several other researchers in attributing the attack to a North Korean threat actor they call UNC1069. SentinelOne found the same group using macOS-based malware in attacks dating back to 2023. 

Last month, the financially-motivated group was accused of targeting a cryptocurrency company with several unique pieces of malware deployed alongside multiple scams, including a fake Zoom meeting.

Several other researchers backed Google’s assessment because the backdoors used during the axios attack resemble WAVESHAPER, a strain of malware North Korean actors used during the fake Zoom campaign. 

John Hultquist, chief analyst at Google Threat Intelligence Group, said the axios incident is unrelated to another recent supply chain attack that caused alarm among security experts due to its widespread nature. 

Hultquist noted that North Korean hackers “have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency.” A 2023 supply-chain attack on the enterprise phone company 3CX was attributed to North Korean hackers.

“The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts,” Hultquist said. 

Experts raised alarms early on Tuesday morning when two malicious versions of the axios package were published on the Node Package Manager (npm).

Security companies Socket and StepSecurity confirmed the packages were malicious and traced the incident back to the hijacking of the lead axios maintainer’s npm account. 

Socket said the malicious package deploys a multi-stage payload, including a “remote access trojan (RAT) capable of executing arbitrary commands, exfiltrating system data, and persisting on infected machines.”

“When the attack first happened, axios maintainers were unable to regain control of the project. In a public GitHub issue, a collaborator stated they could not revoke access from the account responsible for the malicious publish, noting that the attacker’s permissions exceed their own,” Socket explained. 

Axios is among the most popular JavaScript HTTP client libraries and is used by developers to connect apps to the internet. StepSecurity said that this is “among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.”

The malicious version injects a new dependency that installs the malware, which impacts Windows, macOS and Linux. After executing, the malware deletes itself and replaces it with a clean version of the tool to evade detection, StepSecurity added. 

“There are zero lines of malicious code inside axios itself, and that's exactly what makes this attack so dangerous,” the researchers said. 

The incident marks the latest in a string of compromises involving the software supply chain, which is increasingly tied together through code pulled in from outside sources. 

Last week’s attack on the widely used open-source Python package LiteLLM allowed cybercriminals to breach several organizations. Previous incidents involving XZ Utils and self-replicating worm Shai-Hulud stood out among a sea of research uncovering more and more npm packages that have been corrupted.  

Mandiant CTO Charles Carmakal said the number of recent software supply chain attacks is overwhelming. 

“The secrets stolen over the past two weeks will enable more software supply chain attacks, software-as-a-service environment compromises (leading to downstream customer compromises), ransomware and extortion events, and crypto heists over the next several days, weeks, and months,” he said. 

“We are aware of hundreds of thousands of stolen credentials. A variety of actors with varied motivations are behind these attacks. The blast radius of yesterday's axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it.”

Mike Puglia, a security leader at Kaseya, said the incidents are further evidence of the fragility of the world's software ecosystem. 

“In this case, the attacker compromised one single account, the maintainer of axios, and the malicious code was ‘live’ for almost three hours before discovery. On a typical day, that could mean tens of thousands of organizations received the malware,” Puglia said. 

To further complicate matters, after the attacker's remote access was deployed, the malware replaced itself with the legitimate axios files, making it difficult to know if you were compromised, he added.

Several other experts warned that the recent attacks on axios and LiteLLM would be templates for other hackers to replicate.