North Korean Threat Actors Hijack Axios Maintainer, Deploy RAT via Malicious npm Packages
What Happened – A social‑engineering campaign impersonating a legitimate company convinced Axios lead maintainer Jason Saayman to install a fake Microsoft Teams update. The attacker used the compromised credentials to publish two malicious Axios versions (1.14.1 and 0.30.4) to the npm registry, each bundling a “plain‑crypto‑js” dependency that installed a remote‑access trojan on macOS, Windows, and Linux systems. The packages were live for roughly three hours before removal.
Why It Matters for TPRM –
- Open‑source supply‑chain attacks can compromise any downstream organization that blindly trusts third‑party libraries.
- Credential compromise of a maintainer demonstrates the need for strong identity hygiene (MFA, credential rotation) for all third‑party contributors.
- The incident is linked to the North Korean UNC1069 group, highlighting nation‑state interest in open‑source ecosystems.
Who Is Affected – Software development teams across all sectors (technology, finance, healthcare, retail, etc.) that consumed the malicious Axios releases during the exposure window.
Recommended Actions –
- Immediately audit your dependency list for any Axios versions published between the attack window; replace if found.
- Enforce multi‑factor authentication and credential rotation for all third‑party maintainer accounts.
- Deploy software‑bill of materials (SBOM) and continuous monitoring of upstream package registries.
- Review and harden your open‑source governance policies (code signing, provenance checks).
Technical Notes – Attack vector: targeted social engineering (phishing) → compromised maintainer credentials → malicious npm publish. No CVE was involved; the malicious payload was delivered via a trojanized plain-crypto-js dependency. Data types compromised include system credentials, authentication tokens, and potentially sensitive project code. Source: BleepingComputer