Forgot your password?
Close
typodupeerror
AI Security

Top NPM Maintainers Targeted with AI Deepfakes in Massive Supply-Chain Attack, Axios Briefly Compromised (pcmag.com) 33

Posted by EditorDavid from the swimming-upstream dept.
"Hackers briefly turned a widely trusted developer tool into a vehicle for credential-stealing malware that could give attackers ongoing access to infected systems," the news site Axios.com reported Tuesday, citing security researchers at Google.

The compromised package — also named axios — simplifies HTTP requests, and reportedly receives millions of downloads each day: The malicious versions were removed within roughly three hours of being published, but Google warned the incident could have "far-reaching impacts" given the package's widespread use, according to John Hultquist, chief analyst at Google Threat Intelligence Group. Wiz estimates Axios is downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments. So far, Wiz has observed the malicious versions in roughly 3% of the environments it has scanned.
Friday PCMag notes the maintainer's compromised account had two-factor authentication enabled, with the breach ultimately traced "to an elaborate AI deepfake from suspected North Korean hackers that was convincing enough to trick a developer into installing malware," according to a post-mortem published Thursday by lead developer Jason Saayman: [Saayman] fell for a scheme from a North Korean hacking group, dubbed UNC1069, which involves sending out phishing messages and then hosting virtual meetings that use AI deepfakes to clone the face and voices of real executives. The virtual meetings will then create the impression of an audio problem, which can only be "solved" if the victim installs some software or runs a troubleshooting command. In reality, it's an effort to execute malware. The North Koreans have been using the tactic repeatedly, whether it be to phish cryptocurrency firms or to secure jobs from IT companies.

Saayman said he faced a similar playbook. "They reached out masquerading as the founder of a company, they had cloned the company's founders likeness as well as the company itself," he wrote. "They then invited me to a real Slack workspace. This workspace was branded... The Slack was thought out very well, they had channels where they were sharing LinkedIn posts. The LinkedIn posts I presume just went to the real company's account, but it was super convincing etc." The hackers then invited him to a virtual meeting on Microsoft Teams. "The meeting had what seemed to be a group of people that were involved. The meeting said something on my system was out of date. I installed the missing item as I presumed it was something to do with Teams, and this was the remote access Trojan," he added. "Everything was extremely well coordinated, looked legit and was done in a professional manner."
Friday developer security platform Socket wrote that several more maintainers in the Node.js ecosystem "have come out of the woodwork to report that they were targeted by the same social engineering campaign." The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target. It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers. Attackers also targeted several Socket engineers, including CEO Feross Aboukhadijeh. Feross is the creator of WebTorrent, StandardJS, buffer, and dozens of widely used npm packages with billions of downloads... Commenting on the axios post-mortem thread, he noted that this type of targeting [against individual maintainers] is no longer unusual... "We're seeing them across the ecosystem and they're only accelerating."

Jordan Harband, John-David Dalton, and other Socket engineers also confirmed they were targeted. Harband, a TC39 member, maintains hundreds of ECMAScript polyfills and shims that are foundational to the JavaScript ecosystem. Dalton is the creator of Lodash, which sees more than 137 million weekly downloads on npm. Between them, the packages they maintain are downloaded billions of times each month. Wes Todd, an Express TC member and member of the Node Package Maintenance Working Group, also confirmed he was targeted. Matteo Collina, co-founder and CTO of Platformatic, Node.js Technical Steering Committee Chair, and lead maintainer of Fastify, Pino, and Undici, disclosed on April 2 that he was also targeted. His packages also see billion downloads per year... Scott Motte, creator of dotenv, the package used by virtually every Node.js project that handles environment variables, with more than 114 million weekly downloads, also confirmed he was targeted using the same Openfort persona.
Socket reports that another maintainer was targetted with an invitation to appear on a podcast. (During the recording a suspicious technical issue appeared which required a software fix to resolve....)

Even just technical implementation, "This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package," the CI/CD security company StepSecurity wrote Tuesday The dropper contacts a live command-and-control server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its own package.json with a clean decoy... Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker's server before npm had even finished resolving dependencies... Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline.
"As preventive steps, Saayman has now outlined several changes," reports The Hacker News, "including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices."

The Wall Street Journal called it "the latest in a string of incidents exposing risks in the systems that underpin how modern software is built."

Top NPM Maintainers Targeted with AI Deepfakes in Massive Supply-Chain Attack, Axios Briefly Compromised More | Reply

Top NPM Maintainers Targeted with AI Deepfakes in Massive Supply-Chain Attack, Axios Briefly Compromised

Comments Filter:

  • Teams meetings prompts to install software? (Score:3)

    by ByTor-2112 ( 313205 ) on Saturday April 04, 2026 @11:43PM (#66077904)

    How does a teams meeting tell you to install software? Some kind of addon?

  • npm is a problem (Score:4)

    by CAIMLAS ( 41445 ) on Sunday April 05, 2026 @12:24AM (#66077920)

    npm is a problem. It's this massive, unvetted self-publishing repository without any easy way to verify the origin of packages, and the packages largely get installed directly to production on billions of sites every day without any vetting or review.

    It's crazy, like something out of the 90s.

    Yes, supply attacks like those carried out against npm are pretty common in general, at the state actor level. There've been a couple fun ones in recent years. But the openness and lack of basic precautions surrounding npm in conjunctions with common development practice just makes it a recipe for disaster.

    • Re:npm is a problem (Score:5, Informative)

      by martin-boundary ( 547041 ) on Sunday April 05, 2026 @12:59AM (#66077938)
      Those issues are not new. What *is* new is that AI mimicry has lowered the bar for attacks substantially.

      • Re: (Score:2)

        by CAIMLAS ( 41445 )

        I never said they were new. I, instead, inferred that they're the kind of problems which shouldn't exist, because it's a mindset out of the 90s when the Internet was still comparably high-trust. They're inexcusably negligent.

        • There can be no co-operation without some measure of trust. It's a collective balancing act which is not purely technical. AI mimicry enables new kinds of social engineering attacks that have never been possible before. The onus should not be purely on the software architecture, IMHO.

    • Re:npm is a problem (Score:4, Insightful)

      by darkain ( 749283 ) on Sunday April 05, 2026 @02:49AM (#66077980) Homepage

      While I agree in theory, this particular case is different.

      Do you validate every single package inside of yum/dnf/apt/pkg or similar OS package repositories?

      Because what happened in this case, the maintainer for a major package had their system compromised.

      This could have easily been an attack against any package in any OS repo, open or closed source, using this method.

      • In production? Pretty much yes. Packages are kept in a Sattelite repo and various manifests for machines are are made. Those are tested with the production software. Any changes between versions/manifests are scrutinized.

        So, yes, it could have been "any OS repo, open or closed source, using this method" but if that's the method you you for installing deps in prod you're a hack job and your company is basically committing engineering malpractice.

        • Re: (Score:2)

          by CAIMLAS ( 41445 )

          Pretty much exactly my point.

          The fact that every dev seems to just install the latest whatever from npm doesn't help. There's really no "staging", "stable", or "security" branches, and effectively zero vetting outside what the package developer did. That's a lot of trust.

    • I think this sort of problem could happen with any sort of package manager. A developer targeted by a sophisticated, high-budget fake is not a problem specific to NPM. I don't really know how the protocols for publishing Maven, NuGet, PyPI, etc. differ ... but I suspect all are vulnerable to the same sort of attack. Maybe NPM is more vulnerable than the others, but it is only a matter of degree.

    • Re: (Score:2)

      by znrt ( 2424692 )

      npm is a problem. It's this massive, unvetted self-publishing repository without any easy way to verify the origin of packages,

      not rtfa is a problem, it makes you go on delusional witch hunts spouting massive unvetted unrelated nonsense without any easy way to delete them afterwards.

      hint: "[Saayman] fell for a scheme".

      lack of basic precautions (...) common development practice just makes it a recipe for disaster.

      wait, this bit actually makes some sense, except it is a different problem and not particular to npm but to every single dependency/distribution system, including those not invented yet.

    • No, not really. On my dev system, I will npm install something. When I am ready to capture my changes, commit to my dev branch and push. Now a test system can run it. Only then will my changes be merged to production. There is no reason for you to not go through a test system with your changes first. The malicious code would have dropped a payload only on my system and performed it's own housekeeping. My prod system would not have been affected.

  • This is the part I don't get... (Score:5, Insightful)

    by jvkjvk ( 102057 ) on Sunday April 05, 2026 @12:37AM (#66077928)

    >The meeting said something on my system was out of date. I installed the missing item as I presumed it was something to do with Teams, and this was the remote access Trojan,

    Why on earth aren't you downloading this from a MS Teams page, if something is out of date? It certainly wasn't a popup from Teams itself that showed you this.

    If I get an official looking message in email, I don't go about clicking on the links in it - I go directly to the website, log in, and see what's up.

    • Stop the victim blaming! The Koreans are the baddies!

      What, this is a nerd site? Oh, carry on...

      On a more serious note, I immediately wondered why he didn't use a not work connected tablet instead of his work machine for Teams, during the home office years after COVID I always refrained from installing anything MS onto my Linux box, since I consider their software untrustworthy. Not just in the sense that they might have gaping security holes but also that they might use telemetry and other features to s

    • If you click through to see what is happening, they are being directed to copy/paste some text into a command prompt - I assume the troubleshooting website is some official looking page that describes how to repair the issue. The text has a series of innocuous commands that may appear to be legit to a naive user but there is a command, buried in the middle, to download and run the malware - in the linked page, the Mac version used curl piped to zsh and the Windows version used mshta.

    • Right, this is the part I didn't get. How can you fall for "oh you need to install a new codec" bullshit. It's like a rogue plugin from 2005.

      • Re: (Score:2)

        by kaur ( 1948056 )

        How can you fall for...

        99 times out of 100 you don't.
        1 time you do and that's enough.
        Or just 1 person out of 100 or 1000 or 10000 targeted users does, and again, that's enough.

        No amount of human vigilance helps in the long run.

  • cleaning things up! Great! (Score:4)

    by oldgraybeard ( 2939809 ) on Sunday April 05, 2026 @01:27AM (#66077948)
    Re secured things Good! But the real problem is not this remote repo! The real problem is "using" remote repos that are out of your control!
    Fun Fun "downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments"

  • Package repos ARE a real problem (Score:3)

    by nextTimeIsTheLast ( 6188328 ) on Sunday April 05, 2026 @02:53AM (#66077982)
    I feel in my bones (not put any effort into a design however) that there ought to be a block chain/trust solution somewhere out there to this problem.

    • The problem is that the people who are trusted to make changes got hacked by a sophisticated, well-funded, highly targeted campaign. There is no technical solution to this. Somebody has to have the right to make changes and these people are human and will make mistakes.

  • It's well past time to dump axios. (Score:3)

    by outsider007 ( 115534 ) on Sunday April 05, 2026 @04:40AM (#66078032)

    Browsers and node / bun all have fetch which does the job. Them being careless should be the last nail in their coffin IMHO.

  • The real problem (Score:4, Insightful)

    by gweihir ( 88907 ) on Sunday April 05, 2026 @05:27AM (#66078060)

    Is the high effort the attackers invested. Seems things are heating up.

  • Surprised this is not much more common (Score:3, Insightful)

    by HnT ( 306652 ) on Sunday April 05, 2026 @07:59AM (#66078160)

    I am honestly surprised these kind of software supply chain attacks are not vastly more common. Literally everything we are using every day is relying on a bunch of tools and libraries developed under some F/OSS license online, and especially the JS ecosystem is rife with opportunities due to various factors that overwhelmingly affect the JS ecosystem more so than other kinds of repos.

  • Money Can Fix the Problem it Created (Score:5, Interesting)

    by Carcass666 ( 539381 ) on Sunday April 05, 2026 @10:00AM (#66078260)

    The fundamental problem is that bad actors are willing to spend considerable money and resources to implement these attacks, and the consumers of this software are unwilling to spend the considerable money and resources to mitigate risk. Maybe there a business model for a firm/organization to say "Okay, we're going to own this", meaning creating an ecosystem (curated walled garden) along the following lines?

    • Companies (customers) pay non-trivial fees for curating a secure set of NodeJS (or Python or whatever) packages
    • Fees would go toward personnel and resources (including AI) to import and review new and updated packages posted on the "open" package managers (NPM, PyPi, etc.)
    • Candidate packages to be added to this ecosystem would have to include unobfuscated source, build/transpile instructions and sufficient unit testing (and integration testing, when applicable)
    • Packages that fail security scans, rely on packages/package versions not trusted in the ecosystem, have pre-compiled or obfuscated content, etc. will be rejected
    • Packages with open source licenses (GPL, MIT, etc.) can be submitted for free. For-profit/restricted packages would require a fee.
    • Indemnification / Insurance covering costs associated with supply-chain attacks that make it through this ecosystem. [Optional?]
    • There is no reason why there couldn't be more than one of these ecosystems (if there is enough money to be made to support it)

    It is likely that the indemnification/insurance part of this will be the most expensive part of this (profits and shareholder return notwithstanding). But without at least an option for this, I don't see how you get companies to take this seriously enough to pay for it.

    Most of the package scanning tools that I know of only work once you have already retrieved packages that may have been compromised. Paying to secure the supply chain upstream is a better solution, if somebody could make money doing it.

  • Supply chain self-hack (Score:3)

    by reanjr ( 588767 ) on Sunday April 05, 2026 @02:48PM (#66078628) Homepage

    I had a coworker who used to add lodash and axios to like every project. I had to repeatedly reject PRs that pulled in 50MiB of code to do basic shit JavaScript already does. Like lodash is the source of insane amounts of security bulletins, and all it's being used for is one-line functions. Axios is a monstrosity that (poorly) duplicates the functionality of the web standard fetch API that already does everything you'll ever need.

    Anyone using these packages deserves to get hacked.

Slashdot Top Deals

The truth of a proposition has nothing to do with its credibility. And vice versa.

Close