The North Korean threat actor blamed for the Axios supply chain attack has been aiming its social engineering campaign at various Node.js maintainers, Socket reports.
The Axios attack occurred on March 31, when two malicious package versions were published to the NPM registry. They were removed roughly three hours later, but were likely installed by over 3 million users.
In a postmortem, Axios lead maintainer Jason Saayman explained that the hackers had infected his computer with a backdoor roughly two weeks before.
The attackers used social engineering tactics previously observed in the DeceptiveDevelopment, Operation Dream Job, Contagious Interview, and ClickFake Interview campaigns.
After inviting Saayman to a Slack workspace, the hackers scheduled a meeting on Microsoft Teams. When joining the meeting, the maintainer received an error message and was instructed to install a fake update that infected his system with the RAT.
UNC1069, the North Korean hacking group blamed for the Axios supply chain attack, is now using similar social engineering tactics in a campaign targeting multiple high-profile Node.js maintainers.
The attacks were aimed at Socket CEO Feross Aboukhadijeh, several Socket engineers, Node Package Maintenance Working Group member Wes Todd, Platformatic co-founder and CTO Matteo Collina, Dotenv creator Scott Motte, Node.js Security Working Group contributor Ulises Gascón, and others.
The targeted individuals, Socket explains, maintain hundreds of NPM packages that have billions of downloads. All reported a similar social engineering attack as Saayman.
The campaign was likely mounted over the course of several weeks, with great attention to detail, to make the lures as convincing as possible. The attackers built seemingly legitimate meeting infrastructure and established trust before tricking the intended victims into executing malware.
“The operation takes weeks to execute and is deliberately designed to feel unremarkable. Attackers build rapport over time, schedule calls in advance and reschedule them, and conduct themselves with the professionalism of a legitimate business contact,” Socket notes.
In February, Google warned that UNC1069 had been using the same tactics in attacks targeting DeFi companies, cryptocurrency entities, and venture capital firms.
“I strongly recommend that the OSS maintainer community takes this very seriously. The specific personas and channels used for this attack are being investigated and taken down. But there are more. So many more. Report them. Talk about them. Share them. This is not your typical phishing,” security researcher Tay commented in the Axios postmortem thread.
Related: North Korean Hackers Drain $285 Million From Drift in 10 Seconds
Related: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea
Related: TeamPCP Moves From OSS to AWS Environments
Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM
