Suspected North Korean hackers compromised the widely-used Axios JavaScript library, turning the open-source package into a vehicle for credential-stealing malware, according to Google researchers. The attackers gained control of a maintainer account for the Axios npm package and published at least two malicious versions targeting macOS, Windows and Linux systems. Google linked the activity to a North Korean group tracked as UNC1069, which has previously targeted cryptocurrency and decentralized finance companies.

The incident highlights the vulnerability of software supply chains, where trusted developer tools can become attack vectors. Axios is a popular JavaScript library for making HTTP requests and is not affiliated with Axios Media. The compromise could have "far-reaching impacts" given the package's widespread adoption across the software development ecosystem.

According to Wiz, the Axios package is downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments. The security firm has observed the malicious versions in roughly 3% of the environments it has scanned. The malicious versions were removed within approximately three hours of being published.

The quick removal may have limited immediate damage, but supply chain compromises often have lasting effects as infected code can persist in downstream projects. It remains unclear how the attackers gained access to the maintainer's GitHub account. Google researchers noted this incident is separate from another major npm supply chain attack disclosed last week.

The attack underscores ongoing challenges organizations face in defending against supply chain cyberattacks, where compromising a single trusted component can potentially affect millions of users and systems.