"They had cloned the company's founders' likeness as well as the company itself. They then invited me to a real Slack workspace. This workspace was branded to the company's CI and named in a plausible manner."
"As soon as the update was triggered, the attack led to the deployment of a remote access trojan. The access afforded by the Trojan enabled the attackers to steal the npm account credentials necessary to publish two trojanized versions of the Axios npm package."
"Everything was extremely well coordinated, looked legit, and was done in a professional manner."
"Historically, [...] these specific guys have gone after crypto founders, VCs, public people. They social engineer them and take over their accounts and target the next."
The Axios npm package was compromised through a sophisticated social engineering attack by North Korean threat actors known as UNC1069. The maintainer, Jason Saayman, was approached by attackers impersonating a legitimate company founder. They created a convincing Slack workspace and scheduled a fake Microsoft Teams meeting, during which a remote access trojan was deployed. This allowed the attackers to steal npm account credentials and publish trojanized versions of the Axios package. The attack mirrored tactics previously documented by security firms, indicating a pattern in targeting high-profile individuals.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]