The maintainers of the widely-used Axios HTTP client library have disclosed a sophisticated supply chain attack stemming from a successful social engineering campaign. A developer's account was compromised, allowing threat actors to publish two malicious versions (1.14.1 and 0.30.4) to the npm package registry. These tainted packages introduced a dependency named `plain-crypto-js`, which deployed a cross-platform remote access trojan (RAT) capable of infecting macOS, Windows, and Linux systems. The malicious versions were available for approximately three hours before being identified and removed, but any system that installed them during that window must be considered fully compromised. The Axios team has responded by wiping affected systems, rotating all credentials, and implementing enhanced security protocols to prevent recurrence.
Google's Threat Intelligence Group (GTIG) has attributed this attack with high confidence to a North Korean threat actor tracked as UNC1069. This financially motivated group, active since at least 2018, was identified based on the use of an updated malware variant named WAVESHAPER.V2, a tool previously associated with their operations. The attack methodology reveals a concerning evolution in North Korea's cyber strategy, which increasingly blends espionage with financially driven campaigns, often targeting open-source ecosystems to achieve broad, stealthy infiltration.
The initial compromise was achieved through a highly targeted social engineering ploy. The threat actor posed as a developer experiencing an error with Microsoft Teams and requested assistance from an Axios maintainer. They then sent a malicious repository link disguised as a necessary fix. When the maintainer cloned and executed the code, it triggered a stealthy account takeover, granting the attacker access to publish rights on the npm registry. This incident underscores the critical human vulnerability in software supply chains, where a single developer's compromised account can jeopardize millions of downstream users and applications.
In response to the breach, the Axios maintainers have taken comprehensive containment steps and are advocating for broader industry changes. All maintainers have undergone security training, and the project has enforced mandatory two-factor authentication (2FA) for all administrative accounts. Furthermore, they are exploring cryptographic signing of packages and stricter controls on publication rights. This event serves as a stark reminder for all open-source projects to audit their access controls, mandate 2FA, and educate maintainers on advanced social engineering tactics. For organizations, it reinforces the necessity of implementing robust software bill of materials (SBOM) practices and proactive monitoring of dependencies.
