Ongoing supply chain attacks

The group UNC1069, which has been linked to North Korean operations, carried out an attack on the popular JavaScript library Axios. This library is used in thousands of projects and has tens of millions of weekly downloads via npm.

The attackers specifically targeted an Axios maintainer and executed a multi-stage social engineering campaign. They posed as employees of a well-known company, fully replicated its branding, and even created a convincing Slack workspace with realistic activity and content. The victim was then invited to a meeting in Microsoft Teams. During the call, the attackers demonstrated a fake system issue and suggested an "update". Once the user launched it, a RAT was installed on the device, providing remote access.

After gaining access to the account, the attackers: 🟠stole npm credentials; 🟠published compromised versions of Axios; 🟠embedded a malicious component, WAVESHAPER.V2, a cross-platform backdoor.

This backdoor allows attackers to execute commands on the system, collect data and files, and deploy additional payloads.

💬 Discuss