Threat actors have targeted an open source maintainer to hijack one of the most popular npm packages and spread remote access Trojans (RATs).
Axios is a JavaScript library downloaded over 100 million times a week and used as a dependency in countless developer environments and CI/CD pipelines.
The threat actors compromised the account of maintainer Jason Saayman, adding the malicious npm package plain-crypto-js as a dependency to axios, according to researchers at OpenSourceMalware.
Hinting at the sophistication of the attack, the threat actors apparently staged the malicious dependency the day before the account takeover. They also changed Saayman’s email address on the account for persistence, and hijacked his GitHub account for good measure.
“On GitHub, the attacker used admin privileges to unpin and delete an issue reporting the compromise – while collaborator DigitalBrainJS was actively trying to respond,” the OpenSourceMalware report continued.
“DigitalBrainJS, lacking admin access, could not revoke jasonsaayman's permissions and had to escalate to npm administration, who removed the malicious versions and revoked all tokens approximately three hours after the attack began.”
Read more on npm attacks: New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware.
With access to Saayman’s account, the threat actors published malicious package versions v1.14.1 and v0.30.4 featuring plain-crypto-js to deploy cross-platform RATs.
Whereas legitimate axios releases are published via GitHub Actions using OIDC provenance signing, these were apparently published directly via the npm CLI using stolen credentials.
Google Flags Extensive Fallout From Axios‑Linked Attack
Google has warned that the blast radius of this attack could be extensive, given the number of popular packages with dependencies on axios.
Principal threat analyst at Google Threat Intelligence Group (GTIG), Austin Larsen, urged security teams to:
- Check lockfiles, reviewing package-lock.json, yarn.lock, or pnpm-lock.yaml to see if plain-crypto-js, axios v1.14.1, or axios v0.30.4 are present
- Hunt for IOCs across developer machines and CI/CD infrastructure
- Rotate credentials and remediate any exposed systems
GTIG has attributed this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. They made this arrtibution based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor.
There are suggestions that the hackers in this case may be North Korean state actors, GTIG said in a blog post on March 31.
OpenSourceMalware argued, “The multi-stage architecture, platform-specific payloads and comprehensive RAT capabilities demonstrate that attackers are investing significant resources into supply chain attacks.”
“The use of obfuscation, anti-analysis techniques, and self-deletion shows awareness of modern detection capabilities and an attempt to evade them. The choice to target axios – a package with millions of weekly downloads – indicates an understanding of the npm ecosystem and potential for widespread impact.”
Avital Harel, security researcher at Upwind, said that the “build pipeline is becoming the new front line” in the battle against open source threats.
“Attackers know that if they can compromise the systems that build and distribute software, they can inherit trust at scale,” she added.
“What makes these attacks so dangerous is that they’re targeting the process behind many of them. Organizations should be looking much more closely at CI/CD systems, package dependencies, and developer environments, because that’s increasingly where attackers are placing their bets."