The administrator of the Axios npm package acknowledged that the supply chain compromise was the result of a highly targeted social engineering campaign orchestrated by North Korean threat actors, tracked as UNC1069.
Administrator Jason Seman said the attackers first approached him posing as the founders of legitimate, well-known companies and then tailored their social engineering efforts “specifically towards me.”
“They were not only copying the company itself, but also the likeness of the founder,” Saiman said in a post-mortem of the case. “Then they invited me into a real Slack workspace, which was branded to the company’s CI and given a plausible name. [workspace] It was very well thought out. They had a channel to share their LinkedIn posts. ”
The attacker then allegedly scheduled a meeting with him on Microsoft Teams. When I joined the fake call, I received a fake error message that said, “Something on your system was not up to date.” As soon as the update began, the attack deployed a remote access Trojan.
The access granted by this Trojan allowed the attacker to steal the npm account credentials needed to publish two trojanized versions of the Axios npm package (1.14.1 and 0.30.4) containing an implant named WAVESHAPER.V2.
“Everything was very well-coordinated, looked legitimate and was done in a professional manner,” Saaiman added.
The attack chain described by the project administrator has extensive overlap with tradecraft related to UNC1069 and BlueNoroff. Details of this campaign were extensively documented last year by Huntress and Kaspersky, with the latter tracking it under the name GhostCall.
“Historically, […] “These particular guys are going after crypto founders, venture capitalists, everyday people. They do social engineering to take over accounts and then target the next round of people,” said security researcher Taylor Monaghan. Evolution to targeting [OSS maintainers] A little worrying in my opinion. ”
As a precaution, Saayman outlined several changes, including resetting all devices and credentials, setting immutable releases, adopting the OIDC flow for publishing, and updating GitHub Actions to adopt best practices.
This finding shows that open source project administrators are increasingly becoming targets of sophisticated attacks, effectively enabling attackers to target downstream users at scale by publishing poisoned versions of popular packages.
Since Axios attracts nearly 100 million downloads each week and is heavily used across the JavaScript ecosystem, the explosive scope for such supply chain attacks can be huge as they propagate quickly through direct and transitive dependencies.
“The compromise of a widely used package like Axios shows how difficult it is to reason about exposure in modern JavaScript environments,” said Socket’s Ahmad Nassri. “This is a property of how dependency resolution in ecosystems works today.”
Source link
