North Korea-linked hackers suspected in Axios open-source hijack, Google analysts say
“The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts,” a chief Google analyst said.
North Korea-aligned hackers are believed to have seized a widely-used, open-source JavaScript library, Google intelligence analysts said Tuesday, in a move that could put a significant number of software developers at risk of system compromise.
The hackers introduced compromised versions of Axios, a popular open-source JavaScript library, on Monday. Developers use the package, which is downloaded millions of times weekly, to enable internet connectivity for their software. The open-source library is not related to the national news organization also named Axios.
Security firm StepSecurity detected and halted the hack within a few hours of its deployment between late Monday and early Tuesday.
Google’s Threat Intelligence Group is investigating the attack and has attributed it to a suspected North Korean group they track as UNC1069, said John Hultquist, the group’s chief analyst.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts,” Hultquist added.
Rather than tampering with Axios itself, the attackers slipped in rogue code that executed during installation, bringing in a cross-platform remote access trojan, according to StepSecurity. The malware immediately reached out to a command-and-control server, deployed additional payloads and then wiped its own tracks, making detection difficult.
“This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” the StepSecurity blog says, referring to packaged collections of JavaScript code.
A supply chain attack occurs when hackers compromise a third-party software or service provider to distribute malware to its users downstream. The attack on Axios could give hackers remote access to infected systems, allowing them to steal credentials, move through networks and potentially compromise connected software used by thousands of other users.
Both the FBI and the Cybersecurity and Infrastructure Security Agency declined comment when contacted by Nextgov/FCW. It’s not immediately clear if that campaign has directly impacted U.S. government systems, though the attack vector could raise concerns for federal agencies and contractors that rely on widely used open-source packages.
Chinese, Russian and North Korean-affiliated hackers have been covertly working to insert backdoor hijacks and exploits into major publicly available software used by countless organizations, developers and governments around the world, according to findings released last August from Strider Technologies.
Open-source projects — which underpin software systems used everywhere — rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers, who chat with one another about proposed changes.
Historically, community practices have operated under the premise that all contributors are benevolent. But that notion was challenged in 2024 when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies.
In December, the chairman of the Senate Intelligence Committee asked the White House national cyber director to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies.
Last August, Nextgov/FCW first reported that a Russia-based Yandex employee was the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built software packages in the Department of Defense.
Facts Only
Actors: North Korea-aligned hackers, Google's Threat Intelligence Group (attributed to UNC1069)
Actions/Events: Seized open-source JavaScript library Axios, introduced compromised versions of Axios, slipped in rogue code during installation, brought in a cross-platform remote access trojan
Timeline: Monday (compromised version introduced), between late Monday and early Tuesday (hack detected and halted)
Location: Unspecified (likely global as the library is downloaded millions of times weekly)
Executive Summary
Full Take
The attack on Axios, a widely used open-source JavaScript library, could give hackers remote access to infected systems, allowing them to steal credentials, move through networks, and potentially compromise connected software used by thousands of other users. This incident highlights the vulnerabilities of open-source projects that rely on contributions from community members to keep them updated with patches. It also raises concerns for federal agencies and contractors that rely on widely used open-source packages.
Patterns detected: ARC-0024 Ambiguity (The motive behind the attack is not explicitly stated in the article)
This incident echoes historical patterns of North Korean hackers using supply chain attacks to steal cryptocurrency. It is essential for individuals and organizations to be vigilant about the security of open-source packages they use, especially those that are widely popular and rely on community contributions for updates.
Bridge Questions: Who else could potentially be targeted in similar supply chain attacks? What steps can be taken to improve the security of open-source projects and mitigate their vulnerabilities?
Sentinel — Human
This text shows signs of having been written by a human, with varied sentence lengths, passionate yet balanced reporting, and no clear indications of being part of a coordinated synthetic production.
