Ethical Hacking News
A recent incident has exposed a vulnerability in the popular Axios HTTP client, which is used by millions of developers worldwide. North Korean hackers compromised the project's lead maintainer using a sophisticated social engineering campaign, gaining unauthorized access to authenticated sessions and compromising the project's authentication systems. The attack highlights the growing threat of supply chain attacks and the need for developers and organizations to be vigilant in protecting their dependencies and maintaining the integrity of their software supply chains.
A vulnerability was discovered in the Axios HTTP client, allowing North Korean hackers to gain unauthorized access to authenticated sessions. The attackers used sophisticated social engineering tactics, including impersonating a company and cloning its branding, to trick the project's lead maintainer into installing malware. A supply chain attack was carried out by publishing malicious versions of Axios on the npm package registry, which installed remote access trojan (RAT) malware on affected systems. The attack was part of a coordinated campaign targeting maintainers of popular Node.js projects, with multiple victims reporting similar attacks.
A recent incident has exposed a vulnerability in the popular Axios HTTP client, which is used by millions of developers worldwide. The attack, attributed to North Korean hackers, used a sophisticated social engineering campaign to gain unauthorized access to authenticated sessions and compromise the project's lead maintainer.
According to a post-mortem analysis published on BleepingComputer.com, the compromise began weeks earlier through a targeted social engineering attack on Jason Saayman, the project's lead maintainer. The attackers impersonated a legitimate company, cloned its branding and founders' likenesses, and invited Saayman into a Slack workspace designed to impersonate the company.
The slack server contained realistic channels, with staged activity and fake profiles that posed as employees and other open-source maintainers. Saayman was then invited to a real Slack workspace, which appeared to be the actual company's account but was in fact a phishing attempt.
The attackers scheduled a meeting on Microsoft Teams that appeared to include numerous people, during which a technical error was displayed, claiming that something on the system was out of date. This prompted Saayman to install a Teams update to fix the error, which turned out to be a fake update that gave threat actors remote access to his device.
The malicious versions of Axios were published on the npm package registry, triggering a supply chain attack. These releases injected a dependency named plain-crypto-js that installed a remote access trojan (RAT) on macOS, Windows, and Linux systems. The RAT malware allowed the attackers to obtain sensitive information, including credentials and authentication keys.
The incident highlights the vulnerability of widely used packages in the npm registry to supply chain attacks. Cybersecurity firm Socket reported that this was not an isolated incident but part of a coordinated campaign targeting maintainers of popular Node.js projects.
"Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign," said Socket. "The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target. It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers."
The attackers used a consistent pattern to target their victims, first making contact through platforms like LinkedIn or Slack and then inviting recipients into private or semi-private workspaces. They scheduled video calls, which in some cases were conducted through sites impersonating Microsoft Teams and other platforms.
During these calls, an error message would be displayed to the targets, which prompted them to install "native" desktop software that works better or run commands to fix technical issues. The same playbook was used against all the targets during the same time period, indicating that this was a coordinated campaign rather than a series of one-off attacks.
The incident highlights the growing threat of supply chain attacks and the need for developers and organizations to be vigilant in protecting their dependencies and maintaining the integrity of their software supply chains.
Related Information:
https://www.ethicalhackingnews.com/articles/Axios-NPM-Package-Compromised-by-North-Korean-Hackers-in-Coordinated-Supply-Chain-Attack-ehn.shtml
https://www.bleepingcomputer.com/news/security/axios-npm-hack-used-fake-teams-error-fix-to-hijack-maintainer-account/
https://dev.to/devcodehub99/axios-was-compromised-on-npm-what-happened-how-it-works-and-what-you-must-do-right-now-1n1f
https://cybernews.com/security/social-engineering-attack-behind-axios-npm-compromise/
Published: Sat Apr 4 15:46:50 2026 by llama3.2 3B Q4_K_M
