Security teams at the Google Threat Intelligence Group (GTIG) have reported a compromise of the widely-used JavaScript library Axios, which was infected with a Trojan affecting Windows, macOS, and Linux systems. The attack has been attributed to the North Korean group UNC1069, active since 2018 and known for targeting cryptocurrencies and decentralized finance (DeFi) platforms.
WAVESHAPER V.2: Advanced Malware Evolution
The attack deployed a new version of the WAVESHAPER malware, showing similarities with previous campaigns:
- Regular communication with C2 (Command & Control) servers.
- Use of unusual network identifiers.
- Targeting all operating systems via the SILKBELL script, acting as a dropper to fetch the final payload for each platform.
Compromised versions of Axios and plain-crypto-js were published briefly, with mechanisms to erase traces post-deployment and evade detection.
Essential Security Steps for Developers
- Check for affected versions: Axios 1.14.1 and 0.30.4, and plain-crypto-js 4.2.0 and 4.2.1.
- Roll back to safe versions and lock them to prevent accidental deployment.
- Scan affected systems for RATs that could steal tokens, API keys, and certificates.
- Isolate compromised systems and stop malicious processes while preserving evidence for investigation.
- Clear npm, yarn, and pnpm caches to prevent reinfection.
- Renew all secrets and credentials used in development environments to ensure security.
Why Axios is a High-Risk Target
Supply chain attacks via npm can automatically affect thousands of projects, posing significant threats to sensitive data in cloud environments and CI/CD pipelines.