A suspected hacker from North Korea has taken control of a widely used open source software development tool, modifying it to deploy malware that could endanger millions of developers.

On Monday, a hacker released malicious versions of the popular JavaScript library known as Axios, which developers depend on to enable their software’s internet connectivity. The compromised library was made available on npm, a repository for open source project code. Axios is downloaded by users tens of millions of times each week. 

The hijacking was detected and halted within approximately three hours from Monday night into Tuesday, as reported by the security firm StepSecurity, which investigated the incident. 

Cybercriminals are increasingly targeting developers of prominent open source projects to execute mass hacks against anyone relying on the compromised code, thereby potentially acquiring access to numerous affected devices. Such widespread breaches are labeled supply chain attacks because they exploit software that enables hackers to then compromise anyone who downloaded the tainted software. In recent times, attackers have focused on firms such as 3CX, Kaseya, and SolarWinds, in addition to open source tools like Log4j and Polyfill.io, to target extensive user bases.

Currently, it remains uncertain how many individuals downloaded the malicious variant of Axios within that timeframe. The security firm Aikido, which also looked into the incident, advised anyone who obtained the code to “assume their system is compromised.”

Google informed TechCrunch that its security analysts are associating the Axios breach with North Korean hackers.

“We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” stated John Hultquist, the chief analyst for Google’s Threat Intelligence Group. “North Korean hackers possess significant experience with supply chain attacks, which they have historically employed to steal cryptocurrency. The complete scope of this incident remains unclear, but due to the popularity of the compromised package, we anticipate it will have widespread consequences.”

The hacker managed to insert malicious code into Axios by breaching the account of one of the project’s main developers, who had the authority to release updates. The hacker replaced the legitimate developer’s email address on the account with their own, complicating the process for the developer to regain access.

After taking control of the account, the hacker added harmful code intended to deliver a remote access trojan, or RAT — essentially malware that allows hackers complete, remote control over a victim’s machine. The hacker subsequently issued new versions of Axios disguised as a legitimate update for Windows, macOS, and Linux users. 

The hackers also programmed the malware, along with some of the code used for its delivery, to automatically erase itself post-installation in an effort to evade detection by anti-malware software and investigators, according to security experts.

Updated to include information from Google regarding the attribution to North Korea.