- Google Threat Intelligence Group warns of supply chain attack on Axios npm library
- Malicious “plain-crypto-js” dependency installed by WAVESHAPER.V2 backdoor on Windows, macOS, and Linux
- The points are from the North Korean group UNC1069, which is known for its long-running campaigns targeting cryptocurrency and software developers.
North Korean government-sponsored threat actors are targeting the popular npm package in an attempt to infect its users with malware.
In a security advisory, Google’s Threat Intelligence Group (GTIG) said it was monitoring “active software attacks” targeting Axios, “a JavaScript library widely used to simplify HTTP requests”. Simplify tasks like calling APIs, catching responses, and handling errors compared to using built-in tools like fetch or XMLHttpRequest.
The hackers targeted two versions of the package – 1.14.1 and 0.30.4 – which Google says typically have more than 100 million and 83 million weekly downloads, respectively. They attempted to introduce a malicious dependency called “plain-crypto-js”, a mysterious dropper that releases the WAVESHAPER.V2 backdoor on all Windows, macOS, and Linux operating systems.
The article continues below
Tying it to North Korea
Google described WAVESHAPER.V2 as a “fully functional RAT”, capable of rescanning (extracts telemetry), command execution (physical memory executable injection and arbitrary shell commands), and system enumeration (returns detailed metadata).
It was written in C++, but other versions were available, written in PowerShell and Python, to target different environments.
It was this backdoor that led Google to conclude that this was a campaign sponsored by North Korea. GTIG said WAVESHAPER.V2 is an updated version of WAVESHAPER, a backdoor previously used by a North Korea-nexus threat actor called UNC1069.
“In addition, an analysis of the infrastructure used in this attack shows overlap with the infrastructure used by UNC1069 in previous operations,” Google said.
UNC1069 has apparently been active since at least 2018, making it one of the longest running threat actors out there. At the beginning of this year, The Mandiant you’ve seen a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos, and half a dozen types of malware used, to target organizations in the cryptocurrency sector and steal their crypto stacks.
The best antivirus for all budgets
Follow TechRadar for Google news again add us as a favorite resource to get our expert news, reviews, and opinions in your feed. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok to get news, reviews, unboxings in video form, and get regular updates from us WhatsApp again.
