The attack follows a series of supply chain attacks that impacted multiple open-source projects across different package repositories over the past several weeks, most of them attributed to a group known as TeamPCP. However, the Google Threat Intelligence Group (GTIG) has attributed the Axios attack to a North Korean threat actor it tracks as UNC1069.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” said John Hultquist, chief analyst with GTIG. “The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”
In their analysis, Snyk researchers also noted the sophistication of techniques involved in the attack.
“The attacker also showed meaningful operational sophistication, pre-staging the malicious dependency, using a ‘clean’ version history, double-obfuscating the dropper, building platform-specific RATs, and implementing anti-forensic self-deletion,” the Snyk researchers said in their report. “This was not opportunistic.”
