- Google Threat Intelligence Group warns of active supply chain attack on npm’s Axios library
- Malicious “plain-crypto-js” dependency implemented WAVESHAPER.V2 backdoor on Windows, macOS, and Linux
- The attribution points to North Korea’s UNC1069 group, known for long-running campaigns targeting software and cryptocurrency developers.
North Korean state-sponsored threat actors are targeting a popular npm package in an attempt to infect its users with malware.
In a security advisory, Google’s Threat Intelligence Group (GTIG) said it was monitoring an “active software supply chain attack” targeting Axios, “the most popular JavaScript library used to simplify HTTP requests.” It simplifies tasks like calling APIs, handling responses, and managing errors compared to using built-in tools like fetch or XMLHttpRequest.
The hackers targeted two versions of the package, 1.14.1 and 0.30.4, which Google says typically have more than 100 million and 83 million weekly downloads, respectively. They attempted to introduce a malicious dependency called “plain-crypto-js”, an obfuscated dropper that implements the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux operating systems.
Article continues below.
Linking it to North Korea
Google described WAVESHAPER.V2 as a “fully functional RAT”, capable of performing reconnaissance (extracting telemetry), command execution (injection of portable executable into memory and arbitrary shell commands), and system enumeration (returns detailed metadata).
It was written in C++, but other variants, written in PowerShell and Python, were discovered to target different environments.
It is exactly this backdoor that caused Google to conclude that this was a North Korean-sponsored campaign. GTIG said WAVESHAPER.V2 is an updated version of WAVESHAPER, a backdoor that was previously used by a North Korea nexus threat actor called UNC1069.
“In addition, analysis of the infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities,” Google said.
UNC1069 has apparently been active since at least 2018, making it one of the oldest threat actor groups in existence. At the beginning of this year, principal He observed it using a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos, and half a dozen malware strains, to target organizations in the cryptocurrency sector and steal their cryptocurrency stacks.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
