The Axios maintainers published a post-mortem showing a targeted social engineering campaign that led to malicious Axios npm releases (1.14.1 and 0.30.4) which injected a dependency, plain-crypto-js, that deployed a cross-platform RAT. Google TAG attributed the operation to North Korean actor UNC1069 using WAVESHAPER.V2, and maintainers have wiped affected systems, reset credentials, and advised rotating all keys. #Axios #UNC1069
Keypoints
- Attackers used a convincing fake company presence on Slack and staged Microsoft Teams calls to socially engineer maintainers.
- Compromised credentials were used to publish malicious Axios releases (1.14.1 and 0.30.4) that added the plain-crypto-js dependency installing a RAT.
- The malicious packages were available for roughly three hours; any system that installed them should be considered compromised and have credentials rotated.
- Google TAG links the campaign to UNC1069 and WAVESHAPER.V2, and similar outreach targeted multiple high-impact Node.js maintainers.
- Axios maintainers wiped affected machines, reset all credentials, and are implementing changes to prevent similar supply chain and social engineering attacks.