Hackers suspected of being linked to North Korea have targeted a popular open-source component used by millions of developers to build online applications.
The hackers pushed a malicious version of Axios to developers on the night of 30 to 31 March, security researchers said.
The malicious software was in place for about three hours before the issue was remedied.
Malicious package
It was unclear how many developers accessed the malicious software during that period.
Security firm Aikido said anyone who downloaded the malicious code, which included a remote-access Trojan, or RAT, “should assume their system is compromised”.
The software is downloaded tens of millions of times each week.
Google’s Threat Intelligence Group said it attributed the attack to a group it tracks as UNC1069, which it said has been linked in the past to North Korea’s thefts of billions of dollars’ worth of cryptocurrency each year.
North Korean hackers
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” said John Hultquist, chief analyst at the Google unit.
“The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts.”
The hackers were able to place the malicious code by hacking the account of one of the project’s primary developers.
They then pushed out new versions of Axios that contained malicious software for Windows, Mac and Linux systems.
Supply-chain attack
Supply-chain hacks can enable attackers to compromise large numbers of systems of the software’s users, which can be individuals or organisations.
Well-known previous examples include hacks of Kaseya and SolarWinds, both used by thousands of enterprises.
