North Korean hackers accused of hijacking Axios open-source project to distribute malware

A suspected North Korean threat actor has reportedly taken control of a widely used open-source software tool and altered it to distribute malicious code, raising concerns that millions of developers could be exposed to potential compromise.

On Monday, a malicious actor published altered versions of the popular JavaScript library Axios. Developers commonly use this library to enable applications to communicate with internet services. The compromised versions were uploaded to npm, a widely used repository that hosts open-source packages. Axios is downloaded tens of millions of times each week, making it a high-value target for attackers.

The intrusion was identified and contained within approximately three hours overnight from Monday into Tuesday, according to analysis from cybersecurity firm StepSecurity, which investigated the incident.

Attacks targeting developers and open-source software ecosystems have become increasingly common, as threat actors aim to compromise widely used dependencies and gain indirect access to many systems. These incidents are known as supply chain attacks, where attackers infiltrate software that is later distributed to many users. Previous large-scale incidents have affected organisations such as 3CX, Kaseya, and SolarWinds, as well as open-source components such as Log4j and Polyfill.io.

It remains unclear how many developers downloaded the compromised Axios versions during the brief window when they were available. Security firm Aikido Security, which also examined the breach, warned that anyone who installed the affected package should consider their systems potentially compromised.

Researchers at Google have linked the attack to a North Korean threat group tracked as UNC1069. According to John Hultquist, chief analyst at Google’s Threat Intelligence Group, North Korean hackers have a long history of conducting supply chain attacks, often aimed at stealing cryptocurrency.

“We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” Hultquist said. “North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts.”

The attacker gained access by compromising the account of one of Axios’s core maintainers, who had permission to publish updates to the library. After taking control, the attacker replaced the legitimate developer’s email address with their own, making it more difficult for the rightful owner to regain control of the account.

Once inside, the attacker injected malicious code into the library. This code was designed to deploy a remote access trojan (RAT), a type of malware that enables attackers to take full remote control of an infected system. The altered versions of Axios were then released as seemingly legitimate updates compatible with Windows, macOS, and Linux environments.

Security researchers also noted that the malicious payload, along with parts of the delivery mechanism, was engineered to delete itself automatically after execution. This behaviour was intended to evade detection by antivirus tools and complicate forensic analysis by investigators.

The incident highlights ongoing risks within the open-source software ecosystem, particularly when widely used libraries are compromised and distributed to large numbers of unsuspecting developers.