"We have attributed the attack to a suspected North Korean threat actor we track as UNC1069. North Korean hackers have deep experience with supply chain attacks, which they've historically used to steal cryptocurrency."
"The attack leverages a postinstall hook within the 'package.json' file of the malicious dependency to achieve stealthy execution. Once the compromised Axios package is installed, npm automatically triggers the execution of malicious code in the background."
"The 'plain-crypto-js' package functions as a 'payload delivery vehicle' for an obfuscated JavaScript dropper dubbed SILKBELL, which fetches the appropriate next-stage from a remote server based on the victim's operating system."
Google has linked the compromise of the Axios npm package to a North Korean threat group known as UNC1069. The attackers gained access to the package maintainer's npm account, releasing two trojanized versions that included a malicious dependency called 'plain-crypto-js'. This dependency executes a backdoor across multiple operating systems. The attack utilizes a postinstall hook for stealthy execution, delivering various malware types based on the victim's OS. The full impact of this incident remains uncertain due to the package's popularity.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]