North Korean Hackers Compromise Axios Maintainer Through Sophisticated Social Engineering

North Korean hackers built a fake company and social profiles to trick the lead maintainer of the popular axios library into installing malware, allowing them to publish malicious versions with a remote access trojan. This attack highlights the vulnerabilities in open-source software security.

Details

The attack involved North Korean hackers building a fake company, complete with a Slack workspace, LinkedIn activity, and fake employee profiles, to trick the lead maintainer of the popular axios library into installing malware. After establishing trust through the Slack workspace, the hackers scheduled a Teams meeting where they tricked the maintainer into installing an update that was actually a remote access trojan (RAT). This gave the hackers full control of the maintainer's machine, allowing them to publish malicious versions of axios with a dependency on a trojan package. The malware deployed platform-specific payloads on affected systems, beaconing to a North Korean-linked domain. While the maintainer had 2-factor authentication enabled, this did not stop the attack, as the hackers were able to change his npm email and use a long-lived access token to publish the malicious versions. This highlights the vulnerabilities in open-source software security and the need for more robust measures to protect critical libraries.