ravzgadget

North Korean Hackers Behind Major Attack on a Tool Used by Millions of Developers

North Korean Hackers Behind Major Attack on a Tool Used by Millions of Developers

A popular software tool used by developers around the world was briefly hijacked by suspected North Korean hackers, who turned it into a vehicle for stealing login credentials. Here’s what happened and why it matters.

Based on the original report by Sam Sabin / Axios.

What Happened?

Hackers managed to break into the account of a maintainer of Axios — a widely used JavaScript tool that helps software communicate over the internet — and used that access to publish malicious versions of the software. Those tampered versions were designed to steal credentials and give attackers ongoing access to infected systems.

The malicious versions were live for roughly three hours before being discovered and removed. But given that Axios is downloaded around 100 million times per week and is present in approximately 80% of cloud and coding environments, even a brief window carried serious risk.

Note: Axios the JavaScript library has no connection to Axios the news outlet.

Who Did It?

Researchers at Google linked the attack to a North Korean hacking group known as UNC1069, which has previously targeted cryptocurrency and decentralised finance companies. At least two malicious versions of the package were published before they were caught and taken down.

How Bad Could It Get?

Google’s chief analyst at its Threat Intelligence Group warned the incident could have far-reaching consequences, given how embedded Axios is in modern software development. So far, security firm Wiz has found the malicious versions in about 3% of the environments it has scanned — a small percentage that still represents a significant number of affected systems worldwide.

What’s Still Unknown?

It’s not yet clear how the attackers got into the maintainer’s GitHub account in the first place. Google also clarified that this attack is separate from another major supply chain attack that was disclosed just last week — a reminder of how frequently these incidents are now occurring.

Why These Attacks Are Hard to Stop

Supply chain attacks are particularly dangerous because even after the malicious software is removed, infected code can linger in downstream projects for a long time. Developers who downloaded the package during the attack window may still be running compromised code without knowing it.

For more background, see: Why organisations struggle to fend off supply chain cyberattacks.

misha r

Leave a Reply

Your email address will not be published. Required fields are marked *