North Korean hackers suspected struck thousands of US. companies on Tuesday. They hijacked the npm account of Axios’s lead developer, Jason Saayman. Subsequently, they published two backdoored software releases, versions 1.14.1 and 0.30.4, on the widely used JavaScript package.
Specifically, the attack unfolded between 00:21 and 03:20 UTC on March 31. During that three-hour window, the hackers slipped a phantom dependency called “plain-crypto-js” into the Axios package. Consequently, this hidden dropper deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems. Afterward, the malware contacted a command-and-control server, launched additional payloads, and then wiped its own tracks, making detection extremely difficult.
Google’s Threat Intelligence Group formally attributed the attack to UNC1069, a financially motivated North Korea-linked group active since at least 2018. Furthermore, Google’s chief analyst, John Hultquist, warned that the incident could have “far-reaching impacts” given Axios’s massive reach. Notably, Wiz estimates that Axios is downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments.
Meanwhile, StepSecurity labeled it “the most operationally sophisticated supply chain attack ever documented against a top-10 npm package.” Moreover, Mandiant CTO Charles Carmakal warned that stolen secrets from these attacks “will enable more software supply chain attacks, SaaS environment compromises, ransomware, and crypto heists over the next several days, weeks, and months.”
However, North Korea considers exposure acceptable. Ben Read of security firm Wiz told CNN that North Korea “isn’t worried about its reputation.” Therefore, the regime willingly pays the price of high-profile identification. Additionally, about half of North Korea’s missile program relies on such digital heists, a White House official confirmed in 2023. As a result, cybersecurity experts are now racing to assess the full extent of the damage, warning that a complete recovery could take several months.
Sources: CNN ยท Google Cloud Blog ยท TechCrunch ยท The Record ยท Help Net Security ยท Nextgov/FCW
More News:
Trump Ready to End Iran War Without Reopening Hormuz
US Gas Prices Hit $4 as Trump Says ‘Go Get Your Own Oil’
Trump Threatens Iran Energy Attack as Tehran Rejects US Deal
