A hacker has compromised a little-known, but popular 2.4MB software package that’s downloaded over 100 million times per week and is widely used across apps.
The IT security community is sounding the alarm about the attack on Axios, an “npm package” that functions as pre-built software that a developer can easily incorporate into a JavaScript project, and basically lets an app talk to the internet and fetch data.
(Credit: Axios)
However, a hacker hijacked the account of Axios’ lead developer and quietly introduced two malicious software versions on Monday night, according to cybersecurity vendor StepSecurity.
To evade detection, the hacker-created versions don’t contain any malicious code. Instead, they use an instruction to pull from another software project, called “plain-crypto-js,” which can install malware on the computer. The threat is designed to deliver a macOS, Windows, or Linux-based remote access Trojan, depending on the computer’s operating system, allowing the hacker to rifle through a PC, hijack functions, and potentially steal data.
This Tweet is currently unavailable. It might be loading or has been removed.
The malware versions are also designed to delete themselves after execution. The good news is that the attack only circulated for about three hours before the malicious plain-crypto-js component was taken down, according to Endor Labs. Still, the attack may have affected numerous software developers considering Axios’s reach. “If you installed either compromised version, treat the system as fully compromised,” Endor Labs says.
The security community is calling the incident a “supply chain attack” because any software project that incorporated Axios could have ended up running the attack if it had been configured to run the latest version of the npm package. Cybersecurity vendor Wiz noted the attack was observed in about 3% of the affected environments, including cloud and coding platforms.
Another provider called Huntress also observed its security flagging 135 customer computers that were found contacting the malware’s command-and-control server. “The first infection on a Huntress-monitored endpoint landed 89 seconds after [email protected] was published,” the company wrote.
As for who was behind the attack, Elastic Security Labs has uncovered evidence that the macOS malware shares similarities with suspected North Korean hacking activities.
Recommended by Our Editors
The incident is a repeat of another npm-related attack that occurred in September, targeting 18 software packages. Although September’s attack had an even wider reach, the threat was quickly contained, with some experts remarking that the hacker appeared sloppy.
The latest attack seems to have been more carefully planned. “This was not opportunistic,” StepSecurity noted. “It was precision. The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct.”
GitHub, which hosts npm projects, has been trying to fend off such supply chain attacks. In December, it announced an “accelerated roadmap” to bolster security around npm, following a wave of attacks involving the “Shai-Hulud” malware circulating via compromised npm projects.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Click Here For The Original Source.
