Suspected North Korean hackers have hijacked and modified a popular open source software development tool to distribute malware that could put millions of developers at risk of compromise.
On Monday, hackers pushed a malicious version of a widely used JavaScript library called Axios that developers rely on to connect their software to the Internet. The affected libraries were hosted on npm, a software repository that stores code for open source projects. Axios is downloaded tens of millions of times every week.
Security firm Step Security, which analyzed the attack, said the hijacking was discovered and thwarted in about three hours during the night from Monday to Tuesday.
Hackers are increasingly targeting developers of popular open source projects in order to mass hack people who rely on compromised code, potentially giving them access to a vast number of affected devices. This type of widespread breach is called a supply chain attack because it targets software that allows hackers to hack into users who have downloaded the compromised software. In recent years, hackers have targeted large numbers of users by targeting companies like 3CX, Kaseya, and SolarWinds, as well as open source tools like Log4j and Polyfill.io.
It is currently unknown how many people downloaded the malicious version of Axios during that period. Security firm Aikido, which also investigated the incident, said anyone who downloaded the code “should assume their systems have been compromised.”
Google told TechCrunch that its security researchers have linked the Axios breach to North Korean hackers.
“We attribute this attack to what we believe to be a North Korean threat actor, which we track as UNC1069,” said John Hultquist, principal analyst in Google’s Threat Intelligence Group. “North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrencies. The full scope of this incident is still unknown, but given the popularity of the compromised packages, we expect it to have far-reaching impact.”
tech crunch event
San Francisco, California
|
October 13-15, 2026
inquiry
Do you have more information about this hack? Or is it another supply chain attack? You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
Hackers were able to slip malicious code into Axios by compromising the account of one of the project’s key developers, who was authorized to push updates. The hacker replaced the legitimate developer’s email address on the account with his own, making it even more difficult for the developer to regain access.
The hacker who took control of the account inserted malicious code designed to deliver a remote access Trojan (RAT). This is essentially malware that allows hackers to take full remote control of the victim’s computer. The hackers then pushed a new version of Axios with legitimate-looking updates for Windows, macOS, and Linux users.
Security researchers said the hackers also designed the malware and some of the code used to distribute it to be automatically removed after installation to hide it from anti-malware engines and investigators.
Updated to include information from Google regarding North Korea attribution.
Source link
