The sophisticated supply chain attack on the Axios library has been confirmed as the result of a targeted social engineering campaign against a project maintainer. This incident reveals the high level of effort state-sponsored actors are investing to bypass modern technical security controls.
The North Korea-nexus actor UNC1069 posed as a helpful contributor for several weeks to build a relationship with a project maintainer. This relationship allowed them to steal session cookies and lift account credentials‚ providing the ability to publish malicious versions 1.14.1 and 0.30.4. These versions delivered the WAVESHAPER.V2 backdoor‚ built to profile and exfiltrate secrets from Windows‚ Linux‚ and macOS systems.
When an attacker successfully hijacks the human relationship at the core of an open-source project‚ technical measures like MFA and OIDC provenance can still be bypassed. This represents a strategic shift where the maintainer is the primary target for identity theft rather than the infrastructure itself.
– Force rotate all NPM_TOKEN secrets and long-lived GitHub access keys that have been exposed in environment variables.
– Audit the project node_modules directory for any references to plain-crypto-js or unauthorized dependencies.
– Revert to Axios version 1.14.0 or 0.30.3 and implement strict version pinning in all project configuration files.
– Monitor build logs for anomalous outbound connections to unknown IP addresses during npm install.
The security of the supply chain is as dependent on the identity and relationship management of the maintainers as it is on the security of the code. #CodeDefence #Axios #SupplyChain #UNC1069
/
