Skip to content
.ca
sign in
4 minhigh

Feross on TBPN: How North Korea Hijacked Axios

North Korean state actors compromised the lead maintainer of the popular Axios npm package through a highly targeted social engineering campaign. By establishing credibility via fake corporate personas and communication channels, the attackers tricked the developer into executing malware disguised as a software update, ultimately gaining unauthorized publish access to the npm registry.

Conf:highAnalyzed:2026-04-10reports
ActorsNorth Korean state actors
North KoreaAxiosSupply Chain AttackSocial Engineeringnpm

Source:Socket

Key Takeaways

  • North Korean state actors successfully compromised the lead maintainer of the Axios npm package.
  • The attackers utilized a sophisticated, multi-week social engineering campaign involving a fake company, a fake Slack workspace, and a staged Microsoft Teams call.
  • Malware was delivered to the maintainer disguised as a software update, leading to the compromise of their machine.
  • The compromise granted the threat actors publish access to the npm registry for the Axios package.
  • The incident highlights the systemic vulnerability of 'blind trust' in the open-source software supply chain.

Affected Systems

  • npm package registry
  • Developer workstations

Attack Chain

North Korean threat actors initiated contact with the lead Axios maintainer, building trust over several weeks. They established a deceptive infrastructure, including a fake company, a fake Slack workspace, and a staged Microsoft Teams call. During these interactions, the attackers convinced the maintainer to download and execute a file disguised as a software update. This malware compromised the developer's machine, allowing the attackers to hijack their session or credentials and gain publish access to the Axios package on npm.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR on the developer's machine could detect the execution of the disguised software update and subsequent post-exploitation activity, but the initial social engineering occurs off-sensor. Network Visibility: Low — Traffic to fake Slack workspaces or Teams calls appears as legitimate SaaS traffic, making network-based detection of the social engineering phase highly difficult. Detection Difficulty: Hard — The attack relies heavily on out-of-band social engineering and exploiting human trust, bypassing traditional technical controls until the final payload execution phase.

Required Log Sources

  • EDR process execution logs
  • Authentication logs (npm registry)
  • Web proxy logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual execution of software updates or installers originating from untrusted or newly observed domains associated with communication platforms.EDR process and network eventsExecutionMedium
Monitor for unexpected or anomalous authentication events to package registries (like npm) from developer workstations, especially following unusual communication patterns or from unexpected IP addresses.Authentication logsCredential Access/ImpactLow

Control Gaps

  • Lack of strict verification for third-party communications and job offers
  • Insufficient endpoint protection against socially engineered payloads on developer machines

Key Behavioral Indicators

  • Execution of unverified binaries downloaded during communication sessions
  • Anomalous npm publish events or session token usage

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Review and audit npm publish access logs for anomalous activity.
  • Enforce mandatory Multi-Factor Authentication (MFA) for all package maintainers and critical infrastructure access.

Infrastructure Hardening

  • Implement strict endpoint controls on developer workstations, including application allowlisting and restricted administrative privileges.
  • Utilize hardware security keys (e.g., YubiKeys) for accessing code repositories and package registries.

User Protection

  • Deploy advanced EDR solutions on all developer endpoints to detect anomalous execution of downloaded files.

Security Awareness

  • Train developers on advanced social engineering tactics, specifically targeting open-source maintainers via fake job offers, interviews, or collaborations.
  • Establish strict verification protocols for external communications and software downloads during third-party engagements.

MITRE ATT&CK Mapping

  • T1566 - Phishing
  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1204.002 - User Execution: Malicious File
  • T1078 - Valid Accounts

Related