The open-source HTTP client Axios recently released a security report detailing how its developer fell victim to a social engineering attack by a North Korean hacking group, which resulted in malicious versions being uploaded to the npm registry.
By compromising the account of Axios maintainer Jason Saayman, hackers published two malicious versions, 1.14.1 and 0.30.4, to npm. These versions utilized a dependency called 'plain-crypto-js' to install a Remote Access Trojan (RAT) on macOS, Windows, and Linux systems.
Google Threat Intelligence (GTIG) has attributed the attack to the North Korean threat actor UNC1069. Active since 2018, the group has previously been linked to financial crimes involving the WAVESHAPER malware.
A Carefully Orchestrated Phishing Trap
According to Saayman, the hackers cloned the branding of well-known companies and impersonated executives to lure him into a fraudulent Slack workspace. Saayman noted that the workspace was incredibly convincing, featuring not only fake employee profiles but also accounts impersonating other open-source maintainers.
During a subsequent Microsoft Teams video call, the attackers intentionally simulated technical errors to trick Saayman into installing a fake 'Teams update.' In reality, this program was a Remote Access Trojan that allowed the attackers to steal npm credentials and bypass multi-factor authentication (MFA).
The attack lasted approximately three hours, during which any system that downloaded the affected versions is considered compromised. The Axios maintenance team has since cleaned the affected systems and reset all credentials. Several other open-source maintainers have also reported experiencing similar phishing attacks involving fake Teams SDK updates recently.
This incident serves as another wake-up call for open-source supply chain security. Although the source code of the Axios project itself was not tampered with, the hackers successfully exploited developer trust by injecting malicious dependencies, highlighting the extreme level of stealth current social engineering attacks employ when targeting the software supply chain.
