Hackers Hijack Axios npm Package to Spread RATs
Basically, hackers took control of a popular coding tool to spread harmful software.
Hackers hijacked the axios npm package to spread RAT malware. This impacts countless developers relying on axios, raising serious security concerns. Immediate action is needed to secure systems.
What Happened
Threat actors recently executed a sophisticated attack on the popular npm package, axios, which is used by developers worldwide. By compromising the account of maintainer Jason Saayman, they added a malicious dependency known as plain-crypto-js to axios. This package is downloaded over 100 million times a week, making it a prime target for exploitation. The attackers staged their malicious dependency just a day before taking over the account, showcasing their planning and execution skills.
They didn’t stop at merely hijacking the npm account; the attackers also changed Saayman’s email for persistence and took control of his GitHub account. This allowed them to manipulate the repository, even removing issues that could have alerted others to the compromise. The malicious versions of axios were published directly using stolen credentials, bypassing the usual security checks that legitimate releases undergo.
Who's Being Targeted
The fallout from this attack could be extensive, affecting a vast number of developers and organizations that rely on axios as a dependency in their projects. Google's Threat Intelligence Group has warned that numerous packages depend on axios, amplifying the potential impact. This means that any developer using axios could inadvertently expose their systems to the remote access Trojans (RATs) embedded in the malicious package versions.
The threat actors behind this attack have been attributed to UNC1069, a financially motivated group linked to North Korea. Their history of cyber activities, including the use of sophisticated malware like WAVESHAPER.V2, indicates a high level of expertise and intent to exploit vulnerabilities in the software supply chain.
Signs of Infection
Developers should be vigilant for signs of infection, particularly if they have used axios versions v1.14.1 or v0.30.4. Indicators of compromise (IOCs) may include unusual activity on developer machines or CI/CD pipelines. Additionally, if the malicious package plain-crypto-js appears in lockfiles such as package-lock.json or yarn.lock, this could signify a breach.
The attackers employed various techniques to evade detection, including obfuscation and anti-analysis measures. These tactics highlight the evolving nature of cyber threats and the necessity for developers to maintain robust security practices.
How to Protect Yourself
To safeguard against such attacks, developers and organizations should take immediate action. Here are some recommended steps:
- Review lockfiles: Check for the presence of plain-crypto-js or the compromised axios versions.
- Hunt for IOCs: Look for any unusual activity across developer environments and CI/CD infrastructure.
- Rotate credentials: Ensure that all credentials are updated and any exposed systems are remediated.
Security experts emphasize that the build pipeline is becoming a critical front in the battle against open-source threats. Organizations must prioritize the security of their CI/CD systems and dependencies to prevent future compromises. This incident serves as a stark reminder of the vulnerabilities present in widely-used software and the need for continuous vigilance in software development practices.