Google has formally attributed the availability chain compromise of the favored Axios npm bundle to a financially motivated North Korean menace exercise cluster tracked as UNC1069.
“We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” John Hultquist, chief analyst at Google Menace Intelligence Group (GTIG), informed The Hacker Information in an announcement.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”
The event comes after menace actors seized management of the bundle maintainer’s npm account to push two trojanized variations 1.14.1 and 0.30.4 that launched a malicious dependency named “plain-crypto-js” that is used to ship a cross-platform backdoor able to infecting Home windows, macOS, and Linux programs.
Moderately than introducing any code modifications to Axios, the assault leverages a postinstall hook inside the “package.json” file of the malicious dependency to realize stealthy execution. As soon as the compromised Axios bundle is put in, npm robotically triggers the execution of malicious code within the background.
Particularly, the “plain-crypto-js” bundle features as a “payload delivery vehicle” for an obfuscated JavaScript dropper dubbed SILKBELL (“setup.js”), which fetches the suitable next-stage from a distant server primarily based on the sufferer’s working system.
As beforehand detailed by The Hacker Information, the Home windows execution department delivers PowerShell malware, a C++ Mach-O binary for macOS, and a Python backdoor for Linux programs. The dropper additionally performs a cleanup to take away itself and exchange the “plain-crypto-js” bundle’s “package.json” file with a clear model that doesn’t have the postinstall hook.
 |
| Picture Supply: Elastic Safety Labs |
The backdoor, codenamed WAVESHAPER.V2, is assessed to be an up to date model of WAVESHAPER, a C++ backdoor deployed by UNC1069 in assaults aimed on the cryptocurrency sector. The menace actor has been operational since 2018. The availability chain assault’s hyperlinks to UNC1069 have been first flagged by Elastic Safety Labs, citing performance overlaps.
The three WAVESHAPER.V2 variants help 4 totally different instructions, whereas beaconing to the command-and-control (C2) server at 60-second intervals –
- kill, to terminate the malware’s execution course of.
- rundir, to enumerate listing listings, together with file paths, sizes, and creation/modification timestamps.
- runscript, to run AppleScript, PowerShell, or shell instructions primarily based on the working system.
- peinject, to decode and execute arbitrary binaries.
“WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to UNC1069,” Mandiant and GTIG mentioned. “While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands.”
“Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories (e.g., /Library/Caches/com.apple.act.mond).”
To mitigate the menace, customers are suggested to audit dependency timber for compromised variations (and downgrade to a protected model, if discovered), pin Axios to a identified protected model within the “package-lock.json” file to stop unintentional upgrades, test for presence of “plain-crypto-js” in “node_modules,” terminate malicious processes, block C2 area (“sfrclak[.]com,” IP tackle: 142.11.206[.]73), isolate affected programs, and rotate all credentials.
“The Axios attack should be understood as a template, not a one-time event. The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation,” ReversingLabs Chief Software program Architect Tomislav Peričin informed The Hacker Information.
“If this campaign is now appearing in PyPI and NuGet, that’s consistent with what the attack mechanics already suggest: the goal was maximum developer reach. Organizations need to audit not just their npm dependencies, but every package manager feeding their build pipelines, and treat any secrets exposed in affected environments as compromised, regardless of which registry they touched.”
