- Google Threat Intelligence Group Warns of Active Supply Chain Attack Against npm’s Axios Library
- The “plain-crypto-js” malicious dependency deployed a WAVESHAPER.V2 backdoor on Windows, macOS, and Linux.
- The attribution points to the North Korean group UNC1069, known for its long-running campaigns targeting cryptocurrency and software developers.
North Korean state-sponsored threat actors are targeting a hugely popular npm package in an attempt to infect its users with malware.
In a security advisory, Google’s Threat Intelligence Group (GTIG) said it was monitoring an “active software supply chain attack” targeting Axios, “the most popular JavaScript library used to simplify HTTP requests.” It simplifies tasks like API calling, response handling, and error handling compared to using built-in tools like fetch or XMLHttpRequest.
The hackers targeted two versions of the package – 1.14.1 and 0.30.4 – for which Google says typically sees more than 100 million and 83 million weekly downloads, respectively. They attempted to introduce a malicious dependency named “plain-crypto-js”, an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux operating systems.
Article continues below
Connecting it to North Korea
Google described WAVESHAPER.V2 as a “fully functional RAT”, capable of reconnaissance (telemetry extraction), command execution (injecting Portable Executable into memory and arbitrary shell commands), and system enumeration (returns detailed metadata).
It was written in C++, but other variations have been discovered, written in PowerShell and Python, to target different environments.
It was precisely this backdoor that led Google to conclude that this was a campaign sponsored by North Korea. GTIG said WAVESHAPER.V2 is an updated version of WAVESHAPER, a backdoor that was previously used by a North Korea-linked threat actor called UNC1069.
“Additionally, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities,” Google said.
UNC1069 has apparently been active since at least 2018, making it one of the longest-running threat actor groups. Earlier this year, Mandiant observed it using a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos, and half a dozen malware strains, to target organizations in the cryptocurrency industry and steal their crypto stacks.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
