North Korean hackers spent weeks socially engineering an Axios maintainer through a fake Slack workspace, a cloned company identity, and a fabricated Microsoft Teams call that tricked him into installing a RAT posings as a software update. They used the access they gained to inject malware into npm packages downloaded 100+ million times a week.
Now, a fresh Open Source Security Foundation (OpenSSF) advisory warns unknown attackers are using a similar approach to target other open source developers.
The Axios attack was not isolated
In the wake of the high-profile Axios compromise, Socket researchers learned that the same attack campaign targeted many other open source maintainers – particularly those managing Node.js and npm – as well as several Socket engineers.
The attackers reach out via LinkedIn or Slack, posing as company owners/representatives, job recruiters, or podcast hosts, and tried to lure developers into downloading malware masquerading as a videoconferencing software update / fix.
“The attackers used a spoofed Streamyard platform to trick Pelle Wessman, a maintainer of Mocha, into downloading a virus. Another expert, Matteo Collina, nearly fell for a Slack message on 2 April, while others like Scott Motte (creator of dotenv) and John-David Dalton (creator of Lodash) were also targeted,” Socket’s Deeba Ahmed shared.
“They even went after Socket CEO Feross Aboukhadijeh, the creator of WebTorrent and buffer, who noted that this type of targeting is becoming the ‘new normal.’”
Now someone is impersonating a Linux Foundation leader
Christopher Robinson, OpenSSF’s Chief Technology Officer and Chief Security Architect, warns that attackers are currently also impersonating a well-known Linux Foundation community leader and attempting to lure the victim into following a malicious link.
“The community has received reports of an active social engineering campaign targeting open source developers via Slack (including ToDoGroup and related communities),” he shared through the OpenSSF Siren List.
The link provided by the attackers (https://sites.google.com/view/workspace-business/join) mimics a legitimate Google Workspace flow, but takes developers to a phishing page where they are asked to enter their login credentials and verification code, then install a fake root “Google certificate”.
Developers using a Mac also apparently got an additional malicious binary dropped and executed via a script.
“Installing the certificate enables interception of encrypted traffic and credential theft. Executing the binary may result in full system compromise,” Robinson noted.
Don’t trust. Verify.
As open source codebases have become harder to compromise directly, the attack surface has moved and the target, increasingly, is the person who ships the code.
“Attackers are targeting developer workflows and trust relationships,” Robinson pointed out, and advised devs to verify the identities of those who reach out to them.
“Do not trust messages based solely on name or profile, and confirm unusual requests through a separate, known communication channel. Be cautious of unsolicited outreach, even from familiar names,” he added.
Developers should verify whether the login pages they are directed to are legitimate, avoid running software or scripts received via Slack or unknown websites, and be extra careful when faced with messages warning about expired certificates or urgent updates.
Those who’ve fallen for the trick should consider their system, their credentials, and their active sessions and tokens compromised, and proceed to clean the former and rotate/revoke the latter.
“Report the incident to your security team or organization,” Robinson also advised, and asked those who have observed similar activity or have additional indicators to share to report them to their security team and share them via appropriate community channels.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
