North Korean hackers implicated in major supply chain attack

• Axios, a widely used JavaScript library for making HTTP requests, is not affiliated with Axios Media.

Driving the news: Researchers at Google linked the activity to a North Korean group tracked as UNC1069, which has previously targeted cryptocurrency and decentralized finance companies.

• Earlier this week, a maintainer account for the Axios npm package was compromised, allowing attackers to publish malicious versions of the software targeting macOS, Windows and Linux systems.
• The attackers published at least two malicious versions of the package before they were discovered and removed.

Threat level: The malicious versions were removed within roughly three hours of being published, but Google warned the incident could have "far-reaching impacts" given the package's widespread use, according to John Hultquist, chief analyst at Google Threat Intelligence Group.

• Wiz estimates Axios is downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments.

• So far, Wiz has observed the malicious versions in roughly 3% of the environments it has scanned.

Between the lines: Google researchers said the incident is separate from another major npm supply chain attack disclosed last week.

What to watch: It remains unclear how the attackers gained access to the maintainer's GitHub account.

• Supply chain compromises often have a long tail, as infected code can persist in downstream projects long after malicious packages are removed.

Go deeper: Why organizations struggle to fend off supply chain cyberattacks