The North Korean cyberattack that briefly hijacked one of the web’s most widely used open source projects last Monday took weeks to execute as part of a long campaign targeting the code’s top developers.
The March 31 hijacking of the Axios project was successful in part because it relied on well-resourced hackers building relationships and trust with their intended targets over time to increase the odds of an eventual successful breach. This type of hack highlights the security challenges that developers of popular open source projects can face at a time when government hackers and cybercriminals alike are targeting widely used projects, in some cases for their ability to access millions of devices around the world.
Jason Saayman, who manages the popular Axios project that developers use to connect their apps to the internet, provided a timeline of the hack in a post-mortem. He said hackers launched a targeted campaign in about two weeks that eventually took control of his computer and pushed malicious code.
By posing as a real company, creating a realistic-looking Slack workspace, and using fake employee profiles to increase his credibility, Seman said the suspected North Korean hacker invited him to a web conference and was encouraged to download malware disguised as an update needed to access the calls. Saiman said the lures mimic techniques used by North Korean hackers to trick potential victims into granting remote access to their systems, often stealing cryptocurrencies.
Saiman said the attack mimicked an earlier hack that Google security researchers attributed to North Korea.
After hackers broke into Saayman’s computer and gained remote access, they released a malicious update to the Axios project.
The two malicious Axios packages were pulled about three hours after they were first published on March 31st, and may still have infected thousands of systems during that time, but the full extent of the massive hack is still not completely clear. Computers that installed malicious versions of the software during this time may have allowed hackers to steal private keys, credentials, and passwords from that computer, potentially leading to further breaches.
Mr. Saiman did not immediately respond to an email asking questions about the incident.
North Korean hackers remain one of the most active cyber threats on the internet, and are credited with stealing at least $2 billion in cryptocurrencies in 2025 alone.
Kim Jong Un’s regime remains under international sanctions and has been banned from global financial networks for violating a ban on its nuclear weapons program. The country funds most of its funding by launching cyberattacks and stealing cryptocurrencies.
North Korea is believed to have thousands of highly organized hackers, most of them operating against their will under the repressive Kim regime. These hackers spend weeks or months conducting complex social engineering attacks aimed at gaining trust and ultimately gaining access, stealing cryptocurrencies and data, and extorting victims.
Source link
