Malicious versions of the Axios NPM library were distributed in a supply chain attack attributed to North Korean hackers. Two backdoored versions, 1.14.1 and 0.30.4, were published to the NPM registry, executing a payload across various operating systems without user interaction. Approximately 3% of the Axios userbase downloaded these versions before they were removed. The attack utilized a phantom dependency to deploy a remote access trojan, enabling remote shell execution and system reconnaissance while attempting to evade detection.
"The backdoored iterations contained a phantom dependency that was published to the registry 18 hours before the attack. Named [email protected], the dependency is never imported anywhere by the Axios code."
"Its sole purpose is to execute a post-install script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command-and-control server and delivers platform-specific second-stage payloads."
"After execution, the malware attempts to remove installation artifacts and replaces its own package metadata with a clean version to evade forensic detection."
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]