A North Korean threat actor is suspected to be behind a major supply chain attack against axios, a JavaScript library that is downloaded more than 100 million times per week, according to security researchers.
Earlier this week, an attacker compromised the node package manager account for an axios maintainer and introduced a malicious dependency plain-crypto-js. The malicious versions were deleted within a few hours, but, with the widespread use of axios, there was a risk that a large number of users could have downloaded the poisoned version.
Researchers from Google Threat Intelligence Group said the malicious dependency is an obfuscated dropper that deploys a backdoor called Waveshaper.v2 across Windows, Linux and Mac environments.
GTIG researchers track the attacker under the name UNC1069, an adversary that has been active since at least 2018. The new backdoor is an updated version of Waveshaper, which has been previously linked to the same attacker, according to GTIG researchers.
Researchers from Sophos link the attack to a North Korea-based attacker it tracks under the name Nickel Gladstone.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” said John Hultquist, chief analyst at GTIG. “The full breadth of this incident is still unclear, but, given the popularity of this compromised package, we expect it will have far-reaching impacts.”
Austin Larsen, principal threat analyst at GTIG, warns that anyone that pulled [email protected] or [email protected] could have unwittingly executed a backdoor payload using the malicious dependency, according to a post on LinkedIn.
Researchers at Step Security, which initially detected the incident, said the attack was a deliberate and planned compromise, in which the malicious dependency was staged 18 hours in advance, with threat activity beginning on Monday.
“These payloads were pre-built for three operating systems,” Step Security researchers said in a blog post released Tuesday. “Both release branches were poisoned within 39 minutes of each other.”
The attacker initially compromised the jasonsaayman npm account, which is the primary maintainer, according to Step Security. The registered email was then changed to a proton address controlled by the threat actor.
Step Security noted that the artifacts were set to self destruct. Researchers called this one of the “most operationally sophisticated supply chain attacks ever documented” against a leading npm package.
John Hammond, senior principal security researcher at Huntress, warns there may be downstream effects on organizations that need to be fully investigated.
“Unfortunately, the full effects are dynamic and still being uncovered. Because any sort of organization, using any sort of Node.js or JavaScript based software, with any sort of packages, could still have dependencies on that underpinning axios software component,” Hammond told Cybersecurity Dive.
The axios compromise marked the latest in a series of supply chain attacks in recent weeks. Trivy, an open source tool from Aqua Security, was targeted in an attack linked to a threat actor called TeamPCB, according to researchers.
Charles Carmakal, CTO at Mandiant Consulting, said there are thousands of stolen credentials available due to a series of supply chain attacks in recent weeks, according to a LinkedIn post. He warns there could be more SaaS compromises, ransomware, crypto heists and other malicious activity as a result.
