THREAT actors hijacked the Axios npm package, introducing malicious versions of plain-crypto-js as a dependency to spread remote access Trojans (RATs), according to researchers at OpenSourceMalware. With access to the maintainer Jason Saayman’s account, the attackers published versions v1.14.1 and v0.30.4 featuring plain-crypto-js, and changed Saayman’s email on the account for persistence while also hijacking his GitHub account.
The incident involved the attacker using stolen credentials to publish these compromised packages, rather than legitimate GitHub Actions workflows, and occurred after staging the malicious dependency the day before the account takeover. OpenSourceMalware noted that DigitalBrainJS, lacking admin access, could not revoke permissions and had to escalate to npm administration, who removed the malicious versions and revoked tokens roughly three hours after the attack began.
Google’s GTIG attributed the activity to UNC1069, a North Korea‑nexus threat actor, citing the use of WAVESHAPER.V2 in the operation, with some suggesting North Korean state involvement in a blog post dated 31 March.