Suspected North Korean hackers are believed to be behind an ongoing compromise of the widely used open-source package Axios, which is downloaded millions of times per week, researchers at Google said Tuesday.
Why it matters: Hackers briefly turned a widely trusted developer tool into a vehicle for credential-stealing malware that could give attackers ongoing access to infected systems.
- Axios, a widely used JavaScript library for making HTTP requests, is not affiliated with Axios Media.
Driving the news: Researchers at Google linked the activity to a North Korean group tracked as UNC1069, which has previously targeted cryptocurrency and decentralized finance companies.
- Earlier this week, a maintainer account for the Axios npm package was compromised, allowing attackers to publish malicious versions of the software targeting macOS, Windows and Linux systems.
- The attackers published at least two malicious versions of the package before they were discovered and removed.
Threat level: The malicious versions were removed within roughly three hours of being published, but Google warned the incident could have "far-reaching impacts" given the package's widespread use, according to John Hultquist, chief analyst at Google Threat Intelligence Group.
- Wiz estimates Axios is downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments.
- So far, Wiz has observed the malicious versions in roughly 3% of the environments it has scanned.
Between the lines: Google researchers said the incident is separate from another major npm supply chain attack disclosed last week.
What to watch: It remains unclear how the attackers gained access to the maintainer's GitHub account.
- Supply chain compromises often have a long tail, as infected code can persist in downstream projects long after malicious packages are removed.
Go deeper: Why organizations struggle to fend off supply chain cyberattacks
