Fake Teams Update: How attackers tricked the axios maintainer

The HTTP client axios was briefly equipped with a backdoor and was thus available for download for about three hours. It is currently unclear how often the client was downloaded and installed during this period. The maintainer now explains how this could have happened.

On March 30, the attackers published the versions 1.14.1 and 0.30.4, which were contaminated with malware. The developer has since regained control and the releases are offline. A post by Google Threat Intelligence provides clues on how to identify already compromised systems.

Classic Social Engineering Attack

In his post-mortem report, the axios maintainer explains that the attackers, likely belonging to the North Korean group UNC1069, tricked him in the course of a social engineering attack. The whole thing was carried out extremely professionally and convincingly.

He states that the attackers posed as company founders and invited him to a Slack workspace. According to him, everything looked extremely convincing there, and there were various channels with relevant content and credible profiles.

Then he was invited to a Teams meeting. During the meeting, an error message appeared, and he was prompted to install an update. However, this was not a Teams update, but a Trojan to steal access credentials. This allowed them to copy the developer's npm credentials and release the Trojan version of axios into circulation.

Not the Only Attack

However, the axios developer is not the only victim in the open-source maintainer community. Cybercriminals are apparently also targeting other packages such as the Mocha framework. The maintainer reports this on Github.

According to security researchers at Socket, these are large-scale supply chain attacks that also affect Lodash, Fastify, and Pino, among others. The affected tools are downloaded billions of times weekly, thus forming the perfect basis for widespread supply chain attacks.

(des)