- Google Threat Intelligence Group warns of active supply chain attack on npm’s Axios library
- Malicious dependency “plain-crypto-js” deployed WAVESHAPER.V2 backdoor across Windows, macOS and Linux
- Attribution points to North Korea’s UNC1069 group, known for long-running campaigns targeting cryptocurrency and software developers
North Korean state-sponsored threat actors are targeting a hugely popular npm package in an attempt to infect its users with malware.
In a security advisory, Google’s Threat Intelligence Group (GTIG) said it was monitoring an “active software supply chain attack” targeting Axios, “the most popular JavaScript library used to simplify HTTP requests”. It simplifies tasks such as calling APIs, handling responses, and handling errors compared to using built-in tools such as fetch or XMLHttpRequest.
The hackers targeted two versions of the package – 1.14.1 and 0.30.4 – which Google says typically have over 100 million and 83 million weekly downloads. They attempted to introduce a malicious dependency named “plain-crypto-js”, an obfuscated dropper that implements the WAVESHAPER.V2 backdoor across Windows, macOS and Linux operating systems.
The article continues below
Linking it to North Korea
Google described WAVESHAPER.V2 as a “fully functional RAT” capable of reconnaissance (extracting telemetry), command execution (portable in-memory executable injection and arbitrary shell commands), and system enumeration (returning detailed metadata).
It was written in C++, but other variants were discovered, written in PowerShell and Python, to target different environments.
It is precisely this backdoor that led Google to conclude that this was a North Korea-sponsored campaign. GTIG said WAVESHAPER.V2 is an updated version of WAVESHAPER, a backdoor previously used by a North Korean threat actor named UNC1069.
“Furthermore, analysis of infrastructure artifacts used in this attack show overlaps with infrastructure used by UNC1069 in previous activities,” Google said.
UNC1069 has apparently been active since at least 2018, making it one of the longer-running threat actor groups out there. Earlier this year, Mandiant observed that using a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos, and half a dozen malware strains to target organizations in the cryptocurrency sector and steal their crypto stacks.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
