A suspected North Korean state-sponsored threat actor has successfully hijacked a widely used open-source software project, injecting malicious code into the Axios JavaScript library. This supply chain attack, which occurred earlier this week, potentially exposes millions of developers and their end-users to remote access trojans (RATs).
The Anatomy of the Axios Supply Chain Attack
On Monday, malicious versions of the Axios library—a staple in web development for handling HTTP requests—were pushed to npm, the primary repository for JavaScript packages. Given that Axios is downloaded tens of millions of times weekly, the reach of this compromise is massive.
Security firm StepSecurity, which analyzed the incident, confirmed that the malicious versions were live for approximately three hours before being remediated.
Attribution: The North Korean Connection
Google’s Threat Intelligence Group has officially linked the operation to a North Korean threat actor tracked as UNC1069. John Hultquist, chief analyst at Google, emphasized the sophistication of the group, stating: “North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency.”
The attackers gained entry by compromising the account of a primary Axios developer. They systematically replaced the developer’s registered email address with their own, effectively locking the legitimate owner out and granting the attackers full authority to push “official” updates for Windows, macOS, and Linux environments.
The Threat: Remote Access Trojans and Evasion
The malicious updates were designed to deploy a remote access trojan (RAT), granting the hackers total control over infected systems. Security researchers at Aikido, who also investigated the breach, issued a stark warning: any developer who downloaded the compromised versions during the window of exposure should assume their system is fully compromised.
To evade detection by security software and forensic investigators, the malware included self-deletion routines that triggered automatically after installation. This tactic highlights a growing trend where sophisticated actors target open-source infrastructure—similar to previous attacks on 3CX, Kaseya, SolarWinds, and Polyfill.io—to maximize impact through mass-distribution channels.
Rising Risks in Open Source
This incident serves as a critical reminder of the vulnerabilities inherent in the modern software supply chain. While the specific number of infected downloads remains under investigation, the incident underscores the urgent need for developers to implement rigorous dependency scanning and account security measures, such as mandatory multi-factor authentication (MFA) for all package repository maintainers.