A supply chain attack targeting the axios JavaScript library, which sees over 100 million downloads weekly, is attributed to a North Korean threat actor, according to security researchers.
Compromised this week, the npm account of an axios maintainer led to the introduction of a malicious dependency named plain-crypto-js. Although the malicious versions were removed within hours, the risk remains that many users downloaded the compromised version due to axios’s extensive usage.
Google Threat Intelligence Group researchers identified the malicious dependency as an obfuscated dropper that installs a backdoor called Waveshaper.v2 across Windows, Linux, and Mac systems. The attacker, tracked as UNC1069, has been active since at least 2018, with the newly discovered backdoor being an updated variant previously linked to this group.
Sophos researchers connected the attack to a North Korean hacking group known as Nickel Gladstone. “North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” said John Hultquist, chief analyst at GTIG. He added that the overall impact of this incident is still unknown but is expected to be significant.
Austin Larsen, principal threat analyst at GTIG, cautioned that users who downloaded axios versions 1.14.1 and 1.30.4 may have inadvertently executed a backdoor payload linked to the malicious dependency. According to a post on LinkedIn, the initial attack activity was staged 18 hours prior to deployment.
Step Security, which detected the attack, stated that the payloads were intentionally prepared for deployment across three operating systems. “Both release branches were poisoned within 39 minutes of each other,” researchers noted. The attacker compromised the npm account of maintainer jasonsaayman, changing the registered email to one controlled by the threat actor.
This malicious artifact was designed to self-destruct after execution. Research teams characterized the attack as one of the “most operationally sophisticated supply chain attacks ever documented” against a major npm package.
John Hammond, senior principal security researcher at Huntress, warned of potential downstream effects for organizations utilizing Node.js or JavaScript-based software relying on the axios component. “Unfortunately, the full effects are dynamic and still being uncovered,” Hammond stated, indicating the widespread implications for various software environments.
The axios compromise is part of a worrying trend of supply chain attacks, with another recent incident involving Trivy, an open-source tool from Aqua Security, linked to a threat actor identified as TeamPCB. Charles Carmakal, CTO at Mandiant Consulting, revealed that thousands of stolen credentials have emerged as a result of these recent supply chain breaches, warning of possible future compromises, ransomware, and crypto thefts.
