A security incident involving the widely used Axios HTTP library has revealed how attackers are increasingly targeting software maintainers themselves, rather than exploiting code vulnerabilities, to carry out large-scale supply chain attacks.
The issue came to light after Axios maintainers disclosed that an attacker gained access to a contributor’s npm account and used it to publish two compromised versions of the package, 1.14.1 and 0.30.4. These releases included a hidden dependency named plain-crypto-js, which deployed a remote access trojan across macOS, Windows, and Linux systems.
Although the malicious packages were available for only about three hours before being removed, the short exposure window does not reduce the severity. Any system that installed these versions is now considered unsafe. Users have been advised to immediately rotate all credentials, revoke authentication tokens, and assume full compromise of affected environments.
The Axios team confirmed that they have since secured their infrastructure by resetting credentials, cleaning impacted machines, and introducing additional safeguards to prevent similar incidents.
Further investigation by Google Threat Intelligence Group linked the activity to a North Korea-associated threat actor identified as UNC1069. This group, active since at least 2018, is believed to be financially motivated. Attribution was based on malware similarities, including the use of an updated toolset previously tied to the group, as well as overlaps in command-and-control infrastructure observed in earlier operations.
Social Engineering as the Entry Point
The compromise did not begin with a technical flaw. Instead, it started weeks earlier with a carefully orchestrated social engineering attack targeting Axios maintainer Jason Saayman.
Attackers posed as a legitimate organization by replicating its branding, leadership identities, and communication style. They invited the target into what appeared to be a genuine Slack workspace. This environment was not hastily assembled. It contained multiple channels, staged conversations, and curated activity, including links that redirected to real company LinkedIn profiles. Fake user accounts were also created to impersonate employees and known open-source contributors, increasing credibility.
After establishing trust, the attackers scheduled a video meeting that appeared to involve several participants. During the session, the target was shown what looked like a technical issue, specifically a connection-related error. He was then instructed to install an update presented as necessary to resolve the problem.
In reality, this “update” was malicious software that granted the attackers remote access to the system. Once inside, they were able to extract authentication credentials linked to the npm account.
Repeated Tactics Across Multiple Targets
Other maintainers later reported nearly identical experiences. In several cases, attackers attempted to persuade targets to install what they described as a Microsoft Teams software development kit update. When that approach failed, they escalated their efforts by asking victims to execute command-line instructions, including downloading and running scripts via Curl commands.
One such target, Pelle Wessman, described how attackers abandoned the interaction and deleted all communication after he refused to comply.
These methods align with a broader category of attacks sometimes referred to as “ClickFix” techniques, where victims are misled into resolving fake technical is
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: