North Korean–linked hackers attributed to UNC1069 compromised the widely used axios npm package in a supply chain attack that published malicious releases, deploying a multi-stage RAT across Windows, macOS, and Linux. The incident exploited a hijacked maintainer account, bears resemblance to WAVESHAPER activity, and highlights the fragile software supply chain and potential for broad downstream impact. #axios #UNC1069
Keypoints
- Google Threat Intelligence Group and other researchers attribute the axios compromise to North Korean-linked UNC1069.
- Attackers published malicious axios versions via a hijacked maintainer npm account, adding a dependency that installed malware.
- The payload was a multi-stage RAT that executed commands, exfiltrated data, persisted, then self-deleted and restored legitimate axios to evade detection.
- Researchers noted similarities to WAVESHAPER and past North Korean supply-chain operations, including the 3CX and fake Zoom campaigns.
- Given axios’s massive usage (about 100 million weekly downloads), the compromise could have widespread downstream impacts and enable further attacks using stolen credentials.
Read More: https://therecord.media/google-links-axios-supply-chain-attack-north-korea