A significant security breach has targeted the JavaScript ecosystem, involving the insertion of a harmful dependency into the commonly utilized axios NPM package. This attack has led to the widespread installation of the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux platforms.
Impact on the JavaScript Community
The axios library, which is extensively used for managing HTTP requests, has been compromised through its versions 1.14.1 and 0.30.4. These versions surreptitiously integrated the malicious plain-crypto-js dependency, potentially affecting numerous developer environments, build servers, and applications relying on the official package stream.
Google Cloud researchers revealed that the attackers likely gained access to the axios maintainer account, altered the associated email, and introduced plain-crypto-js version 4.2.1. The attack has been attributed to UNC1069, a group linked to North Korea, based on similarities in infrastructure and malware usage.
Stealthy Delivery Mechanism
This cyber attack’s danger lies in its simplicity and effectiveness. The malicious code exploits the standard NPM installation process via a postinstall hook, enabling the dropper to operate covertly once the compromised axios package is installed.
The infection sequence involves an obfuscated JavaScript dropper known as setup.js, also referred to as SILKBELL. Upon execution, this script determines the operating system and deploys a distinct payload for each platform. For Windows, it manipulates PowerShell, while macOS and Linux see the deployment of a Mach-O binary and a Python backdoor, respectively.
Response and Mitigation Strategies
In response to this threat, organizations are advised to avoid the compromised axios versions 1.14.1 and 0.30.4, and instead use secure releases. Systems impacted by the malicious dependency should be considered compromised and require rebuilding or reverting to a secure state, alongside credential rotations.
Security teams should also suspend affected CI/CD processes, clear cache storages, and monitor for unusual activity stemming from Node.js applications. Blocking traffic to specific IPs linked to the attack is also recommended.
The incident underscores the vulnerability of trusted open source packages, which can become entry points for attackers with minimal notice. The extensive reach of axios necessitates a thorough examination of direct and indirect dependencies across all systems.
To prevent further damage, rapid containment measures are crucial, as they can significantly reduce the potential for further malicious exploitation.
