North Korean hackers have reportedly hacked the popular Axios project by spreading malware

A suspected North Korean hacker has hacked and modified a popular open source tool to deliver malware that could put millions of developers at risk of being compromised.

On Monday, a hacker pushed malicious versions of a widely used JavaScript library called Axios, which developers rely on to allow their software to connect to the Internet. The library involved was written on npma software repository that stores code for open source applications. Axios is downloaded tens of millions of times every week.

The thief was spotted and stopped for about three hours in the night from Monday to Tuesday, according to the security company StepSecurity, which analyzed the plot.

Hackers are targeting well-known project developers in an attempt to hack anyone who relies on compromised code, potentially giving hackers access to more affected devices. This type of common violation is called supply chain attacks because of the targeted software that allows hackers to hack any downloadable software. In recent years, hackers have been targeting companies like 3CX on, Cashierand SolarWindsas well as open source tools such as chip4j and Polyfill.iotargeting more users.

It is unclear at this time how many people downloaded which version of Axios at the time. Aikido security company, which he also investigated what had happenedsaid anyone who downloaded the code “must have thought their system had been hacked.”

Google told TechCrunch that its security researchers are linking the Axios hack to North Korean hackers.

“We have said that this happened because of the North Korean player we are following UNC1069“Said John Hultquist, an analyst with the Google Threat Intelligence Group.” North Korean hackers have deep experience with supply chain attacks, which they have already used to steal cryptocurrency. The full extent of this incident is still unknown, but due to the popularity of the tampered package, we expect it to have a lot of problems. “

The hacker was able to download malicious code inside Axios by compromising the account of one of the project’s founders, who was authorized to release updates. The hacker replaced the valid email address on his account, making it difficult for the developer to regain access to the account.

Once in control of the account, the hacker installed malicious code designed to deliver a remote access trojan, or RAT — essentially malware that can give the hacker complete control over the victim’s computer. The hacker released new versions of Axios in a flash for Windows, macOS, and Linux users.

Hackers also designed the malware, as well as other code used to deliver it, to remove itself after installation in an attempt to hide from anti-malware engines and researchers, according to security researchers.

Updated to include information from Google about North Korea.