North Korean Hackers Compromise Axios Package with Malware
Basically, hackers used a popular software package to secretly install malware on computers.
A critical supply chain attack has compromised the axios package, affecting numerous systems. Developers using this library are at risk of malware infection. Immediate containment and remediation actions are necessary to secure environments.
What Happened
A significant software supply chain attack has recently targeted the JavaScript ecosystem. North Korean hackers managed to inject a malicious dependency into the widely used axios NPM package. The compromised versions, axios 1.14.1 and 0.30.4, included a harmful component called plain-crypto-js. When developers installed these packages, they unknowingly introduced the WAVESHAPER.V2 backdoor into their systems, affecting Windows, macOS, and Linux environments.
This incident is particularly alarming due to axios's popularity for handling HTTP requests. The affected versions typically see millions of downloads weekly, meaning a single compromised update could potentially expose countless developer laptops, build servers, and CI/CD pipelines. Google Cloud researchers traced the attack back to a compromised maintainer account, which was manipulated to insert the malicious code into the package.
How It Works
The infection mechanism relied on an obfuscated JavaScript dropper named setup.js, also tracked as SILKBELL. Upon execution, this script identified the operating system and delivered tailored payloads accordingly. For instance, on Windows, it utilized PowerShell to execute commands stealthily, while on macOS and Linux, it employed bash and curl to deploy its malicious binaries.
The malware's design allowed it to operate quietly. After dropping the payload, setup.js attempted to erase its traces and restore the original package configuration, complicating forensic investigations. The WAVESHAPER.V2 backdoor then established a connection to its command-and-control server, allowing attackers to maintain persistent access and execute further commands.
Who's Being Targeted
The attack primarily affects developers and organizations that utilize the axios library in their applications. Given axios's deep integration within various dependency trees, the risk extends beyond direct installations. Build pipelines, internal tools, and production services relying on the compromised package are all at risk of exposure.
The attackers' choice of a widely trusted open-source package highlights the vulnerabilities within the software supply chain. Developers who routinely install packages without scrutinizing their integrity may inadvertently become conduits for such attacks, leading to widespread compromise across multiple systems.
How to Protect Yourself
Organizations are urged to take immediate action to mitigate the risks associated with this attack. First, avoid using the compromised versions of axios (1.14.1 and 0.30.4) and revert to known-good releases (1.14.0 or earlier, and 0.30.3 or earlier). Additionally, check project lockfiles for any instances of plain-crypto-js versions 4.2.0 or 4.2.1.
For systems that have installed the malicious dependency, treat them as compromised. Rebuild or revert these systems to a secure state and rotate all credentials, including tokens and API keys. Teams should also pause affected CI/CD jobs, clear caches from npm and similar package managers, and monitor for any suspicious processes originating from Node.js applications. The overarching lesson is clear: even trusted open-source packages can become vectors for attacks, necessitating vigilance and proactive security measures.