AI Autopsy: Axios Campaign Charts an Evolution in Social Engineering

For CISOs, there are two points of concern. The use of new social engineering tactics that could be turned against their own organisation. And the continued challenges presented by Trojanised open source packages. Neither has a simple solution.

Ground zero: Axios

The main focus for this campaign was Axios, a JavaScript library downloaded over 100 million times a week and used as a dependency in a large number of developer environments and CI/CD pipelines. The group responsible, identified by Google Threat Intelligence Group (GTIG) as financially motivated North Koreans UNC1069, meticulously planned the attack on Axios lead maintainer, Jason Saayman.

In a GitHub post he revealed exactly what they did:

• Impersonated the founder of a company via a deepfake in initial outreach
• Invited Saayman to a Slack Workspace convincingly branded with the company’s logos, and featuring LinkedIn posts, fake profiles of team members and other OSS maintainers
•  Scheduled a Teams meeting to connect with Saayman and other individuals
• On the meeting, displayed a technical error pop-up saying something on Saayman’s system needed updating. This turned out to be a RAT
• This enabled them to get hold of the npm credentials they needed to hijack the Axios project

The latter part of the attack was akin to a ClickFix-style social engineering effort, in which victims are shown a fake error message and then requested to work through various steps that covertly install malware.

“Everything was extremely well co-ordinated, looked legit and was done in a professional manner,” said Saayman.

Then what?

With access to Saayman’s npm environment, they wasted no time in getting to work: adding malicious dependency “plain-crypto-js@^4.2.1” into packages axios@1.14.1 and axios@0.30.4 within half an hour of each other. During the installation of these malicious packages on victims’  machines, they reportedly launched an obfuscated dropper to contact a C&C server for the next stage payload.

The resulting cross-platform RAT was designed to enable the threat actors to execute commands and achieve persistence on targeted machines. Crucially, multi-factor authentication (MFA) was no protection here as it allowed the hackers to access authenticated sessions.

“Adversaries will undoubtedly see the success of deception like this, and we will continue to see these techniques adopted by more threat groups with different targets and different goals, if for no other reason than it works” John Hammond

In an apparent bid to obfuscate the attack and maintain persistence, UNC1069 changed Saayman’s npm account email. They also hijacked his GitHub account and used admin privileges to unpin and delete an issue reporting the compromise. Although the malicious versions were removed around three hours after the attack began, the blast radius is potentially wide. GTIG warned of a broad impact with “ripple effects” across many other popular packages that rely on Axios as a dependency.

Google also claimed that this campaign, and other attacks on the open source software supply chain in recent weeks by threat actor TeamPCP, may have led to hundreds of thousands of stolen secrets. “This could enable further software supply chain attacks, SaaS environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term,” it said.

OpenAI has already warned of potential risk exposure, and there may be more revelations to come. “Taken together, this points to a strategy focused on mass distribution and digital reconnaissance that may prove to be useful in future campaigns, be it for ransoming or for conducting further follow-on operations,” Sonatype field CTO, Ilkka Turunen, tells Assured Intelligence.

The campaign goes wider

Unfortunately, that’s not where the story ends. Another open source maintainer of multiple projects, Pelle Wesseman, claimed he was also targeted by the same social engineering techniques. Security vendor Socket confirmed that the same actors have been targeting countless maintainers in the npm ecosystem.

These include Socket’s own CEO Feross Aboukhadijeh, who has created dozens of popular npm packages with billions of downloads. The Socket write-up warns that the initial scam Teams call was scheduled with a disarming lack of urgency, which is unusual for social engineering.

These techniques have also been used by UNC1069 in other campaigns, such as those targeting the cryptocurrency and decentralised finance (DeFi) verticals. And they could quite easily be repurposed by this and other groups, says John Hammond, a senior principal security researcher at Huntress who first uncovered the Axios campaign.

“We see similar playbooks with DPRK IT worker scams, with deepfake video calls – any sort of clever tricks to establish what looks like a legitimate and professional operation. But it is just a front to fool the end victim,” he tells Assured Intelligence. “Adversaries will undoubtedly see the success of deception like this, and we will continue to see these techniques adopted by more threat groups with different targets and different goals, if for no other reason than it works.”

SANS Institute faculty fellow, Joshua Wright, agrees, noting the “extraordinary” ROI the threat actors generated via social engineering as opposed to traditional intrusion methods.

“More broadly, CISOs can reduce their exposure to potentially malicious open source packages by pinning dependencies to “known-good versions” Joshua Wright

“We should expect this playbook – social engineering plus supply chain poisoning – to be adopted broadly across threat actor categories. These could include espionage groups going after government contractor dependencies, financially motivated actors targeting packages used in fintech and banking, and hacktivists looking for maximum message reach and disruption,” he tells Assured Intelligence.

“The barrier to entry for these attacks is low. A convincing deepfake call or a well-crafted phishing lure aimed at an unpaid volunteer maintainer can accomplish what a sophisticated exploit chain used to require.”

Monitoring for malice

It goes without saying that affected organisations should uninstall any malicious packages immediately, says Sonatype’s Turunen. “Next, audit your environment: review dependency trees and lockfiles. Identify any systems that have installed affected versions,” he tells Assured Intelligence.

“From there, it’s critical to always assume compromise may occur and practice for it. Rotate your credentials and API keys and rebuild affected systems from a clean slate.”

More broadly, CISOs can reduce their exposure to potentially malicious open source packages by pinning dependencies to “known-good versions”, SANS Institute’s Wright explains.

“Monitor for unexpected dependency changes. Dependency analysis tools such can detect when a package suddenly adds a new dependency,” he continues. “In this case, the malicious Axios versions pulled in plain-crypto-js, a package that had never been part of the Axios dependency tree. That kind of a change should trigger a review for the dev and security teams.”

CISOs should also require that their CI/CD pipelines verify provenance on critical dependencies to mitigate the risks that unvalidated packages introduce, Wright says. Runtime behaviour monitoring can spot unusual activity, such as outbound connections, that malware may attempt.

Huntress’s Hammond says some industry experts are calling for teams to wait a set period (eg seven days) before updating new libraries and packages.

“Tools that manage npm or PyPI offer that within their own configuration setup,” he says. “While [the waiting period] may vary depending on your own risk assessment, this could at least give some time for the industry to sound the alarm or get ahead of compromised or trojanised packages.”

Both experts also support the idea of “software bills of materials”, or SBOMs, which can uncover hidden vulnerabilities and accelerate incident response and remediation.

How to catch a phisher

As for the ClickFix techniques, deepfakes and multi-stage social engineering TTPs used by UNC1069, SANS Institute’s Wright argues that updated user education and awareness training must be the first port of call. “Employees need to understand that video calls can be faked and that no legitimate process should ever ask them to paste commands into a terminal or run unknown scripts,” he says.

“Another vital measure is the enforcement of hardware-bound MFA everywhere. If the Axios maintainer’s npm account had been protected by a FIDO2/WebAuthn hardware key rather than time-based one-time password or SMS, the account takeover would have been significantly harder even after successful social engineering.”

Wright also urges CISOs to restrict developer workstation permissions to limit the blast radius of attacks. And out-of-band verification procedures for any request that involves credentials, access changes, or running unfamiliar code.

“The problem with a lot of these defences is that it assumes an enterprise-level degree of preparedness,” he concludes. “These defences are rarely adopted by one-person open source development teams, even when the package they maintain is widely relied upon for many other widely used software products. We will see much more of this in the coming months and years.”