A major supply chain attack against the JavaScript library Axios is suspected to be carried out by a North Korean threat actor. Axios, which is downloaded over 100 million times each week, had its node package manager account compromised, allowing the introduction of a malicious dependency named plain-crypto-js.
The compromised versions of the dependency were removed within hours. However, the extensive adoption of Axios raises concerns that many users may have downloaded the poisoned version. Researchers from the Google Threat Intelligence Group (GTIG) identified the malicious dependency as an obfuscated dropper that installs a backdoor called Waveshaper.v2 on Windows, Linux, and Mac environments.
GTIG attributes the attack to a group known as UNC1069, which has been operational since at least 2018. Waveshaper.v2 is reported as a newer version of a backdoor previously associated with the same group. In addition, Sophos has linked this attack to a North Korean-based hacker known as Nickel Gladstone.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” said John Hultquist, chief analyst at GTIG. He emphasized the potential for significant repercussions due to the popularity of the compromised package.
Austin Larsen, principal threat analyst at GTIG, cautioned that anyone who downloaded [email protected] or [email protected] may have inadvertently executed a backdoor payload. This warning came in a LinkedIn post following the initial detection of the incident.
Step Security, which discovered the attack, described it as a planned compromise. The malicious dependency was staged 18 hours before its deployment on a Monday, with both release branches of Axios poisoned within 39 minutes of each other.
The attacker initially compromised the npm account of primary maintainer jasonsaayman, altering the registered email to a ProtonMail address controlled by the attacker. Step Security revealed that the malicious artifacts were set to self-destruct, raising concerns about the sophistication of the incident.
Researchers characterized this attack as one of the “most operationally sophisticated supply chain attacks ever documented” against a leading npm package. John Hammond from Huntress expressed concern over potential downstream effects on various organizations relying on Axios.
“The full effects are dynamic and still being uncovered, as any organization using Node.js or JavaScript software could rely on the compromised Axios component,” Hammond stated.
This incident is part of a recent trend of supply chain attacks, with other targets including Trivy, an open-source tool from Aqua Security, which was also compromised by a different threat actor named TeamPCB.
Charles Carmakal, CTO at Mandiant Consulting, noted that recent supply chain attacks have resulted in thousands of stolen credentials, warning of impending threats such as further SaaS compromises, ransomware, and crypto heists.
