Ransomware, Phishing, Application security, DevSecOps, Supply chain, Threat Intelligence

Axios maintainer’s post mortem confirms social engineering by UNC1069

The lead maintainer of the axios npm package, Jason Saayman, published a post mortem on the recent supply chain attack Thursday and confirmed he fell victim to social engineering by the North Korean threat actor UNC1069.

The axios package, a widely used HTTP client library with about 100 million weekly downloads and more than 174,000 dependents, was compromised Monday, with attackers publishing malicious updates that were live for about three hours.

The updates, [email protected] and [email protected], added a dependency, [email protected], with a postinstall script that installed a remote access trojan (RAT), with different versions for Windows, macOS and Linux devices.

Saayman’s breakdown of the events, published on GitHub, said he was subject to a social-engineering campaign about two weeks prior to the attack itself, leading him to install a RAT on his own machine. In follow up comments, Saayman explained the campaign was similar to those previous attributed to UNC1069, a North Korean threat operation the Google Threat Intelligence Group said was also behind the axios attack.

“Everything was extremely well co-ordinated looked legit and was done in a professional manner,” Saayman wrote, explaining that he was invited to connect with a company in a process that was specifically tailored to him.

He reported that the attackers “cloned the company's founders likeness as well as the company itself” and invited him to a “super convincing” Slack workspace with seemingly active channels and fake profiles of team members and other open-source maintainers.

He was then invited to participate in a Microsoft Teams call and encountered a prompt saying something was out of date, leading him to install what he believed to be a Teams update, which was actually the RAT. As a result, the attackers were able to gain access to his npm account, despite two-factor authentication (2FA) being enabled, Saayman said.

As the attack was underway, the attacker used Saayman’s account to delete issues published by community members reporting the attack, the post mortem stated. The malicious updates — and the attackers’ access — were ultimately removed after axios collaborator Dmitriy Mozgovoy, also known as "DigitalBrainJS," reached out directly to npm staff.

Saayman noted several steps being taken to prevent future attacks, including the adoption of immutable release and trusted publishing with OpenID Connect (OIDC) for future axios updates. He said he has also reset all of his devices and credentials for all of his personal and professional accounts.

The post mortem also acknowledged additional lessons, including the fact that there was no way to detect the attack until community members noticed the malicious code, and that the high impact of an attack on such a depended-on project requires “hyper vigilance” against social engineering.

While the malicious axios versions and malicious dependency have been removed, axios users are still urged to ensure they have not installed a malicious version. Those who have installed a malicious version should treat their system as compromised, remove the malicious components immediately and rotate sensitive credentials, Saayman wrote.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds