North Korean Hackers Compromise Axios npm Package in Sophisticated Supply Chain Attack
In a significant cybersecurity incident, Google has identified the North Korean threat group UNC1069 as the perpetrators behind the recent compromise of the widely-used Axios npm package. This attack underscores the growing trend of supply chain vulnerabilities being exploited by state-sponsored actors.
Incident Overview
The attack involved unauthorized access to the npm account of Axios’s maintainer, leading to the release of two malicious versions: 1.14.1 and 0.30.4. These versions introduced a harmful dependency named plain-crypto-js, which served as a conduit for deploying a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.
Technical Details
Rather than altering Axios’s core code, the attackers utilized a postinstall hook within the package.json file of the plain-crypto-js dependency. This method ensured that upon installation of the compromised Axios package, npm would automatically execute the malicious code in the background.
The plain-crypto-js package acted as a delivery mechanism for an obfuscated JavaScript dropper named SILKBELL (setup.js). This dropper determined the victim’s operating system and fetched the appropriate next-stage payload from a remote server.
– Windows: Deployed a PowerShell-based malware.
– macOS: Delivered a C++ Mach-O binary.
– Linux: Installed a Python backdoor.
Post-execution, the dropper performed cleanup operations to remove traces of its presence, including deleting itself and replacing the plain-crypto-js package’s package.json file with a clean version devoid of the postinstall hook.
Backdoor Capabilities
The deployed backdoor, termed WAVESHAPER.V2, is an evolution of the previously identified WAVESHAPER malware associated with UNC1069. This updated version supports several commands:
– kill: Terminates the malware’s execution process.
– rundir: Enumerates directory listings, including file paths, sizes, and timestamps.
– runscript: Executes AppleScript, PowerShell, or shell commands based on the operating system.
– peinject: Decodes and executes arbitrary binaries.
The backdoor communicates with its command-and-control (C2) server at 60-second intervals, awaiting further instructions.
Attribution to UNC1069
Google’s Threat Intelligence Group (GTIG) has linked this sophisticated attack to UNC1069, a financially motivated North Korean threat actor active since 2018. The group’s history includes targeting the cryptocurrency sector through supply chain attacks. The macOS binary’s developer build paths reference Jain_DEV/client_mac/macWebT/macWebT, connecting it to previous malware campaigns by North Korean actors.
Mitigation Measures
To protect against this threat, users are advised to:
1. Audit Dependencies: Review dependency trees for compromised versions and downgrade to safe versions if necessary.
2. Pin Safe Versions: Lock Axios to a known safe version in the package-lock.json file to prevent unintended upgrades.
3. Check for Malicious Packages: Search for plain-crypto-js in node_modules and remove if found.
4. Terminate Malicious Processes: Identify and stop any suspicious processes.
5. Block C2 Domains: Prevent communication with the C2 domain sfrclak[.]com (IP address: 142.11.206[.]73).
6. Isolate Affected Systems: Disconnect compromised systems from the network to prevent further spread.
7. Rotate Credentials: Change all credentials that may have been exposed.
Broader Implications
This incident highlights the increasing sophistication of supply chain attacks and the importance of vigilance in software development and maintenance. The rapid execution of this attack, including the compromise of maintainer credentials and deployment of cross-platform payloads, indicates a well-planned operation aimed at maximizing reach and impact.
Organizations are urged to not only audit their npm dependencies but also scrutinize all package managers feeding their build pipelines. Any secrets exposed in affected environments should be considered compromised, regardless of the registry involved.
Conclusion
The compromise of the Axios npm package by UNC1069 serves as a stark reminder of the vulnerabilities inherent in software supply chains. Developers and organizations must adopt proactive security measures to safeguard against such sophisticated threats.
