Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Axios. Show all posts
macOS
AI Chatbot AI Security Axios ChatGPT. OpenAI Cyber Attacks Digital Supply Chain Risk macOS

OpenAI Tightens macOS Security After Axios Supply Chain Attack and Physical Threat Incident

 

Security updates rolled out by OpenAI for macOS apps follow discovery of a flaw tied to the common Axios library. Because of risks exposed through a software supply chain breach, checks on app validation tightened noticeably. One outcome: stronger safeguards now guide distribution methods across desktop platforms. Verification steps increased where imitation attempts once slipped through. The company says the hacked Axios package entered a dev process via an automated pipeline, possibly revealing key signing methods tied to macOS app authentication. 

Though worries emerged over software trustworthiness, OpenAI stated no signs exist of leaked user information, breached internal networks, or tampering with its source files. Starting May 8, older versions of OpenAI’s macOS apps will no longer be supported. Updates are now mandatory, not optional. The shift pushes users toward newer releases as a way to tighten defenses. Functionality depends on using recent builds - this cuts openings for tampering. Fake or modified copies become harder to spread when outdated clients stop working. 

Security improves when only authenticated software runs. Protection rises when unverified versions fade out. Keeping systems current closes gaps exploited by malicious actors. Outdated installations pose higher risk, so access ends automatically. Upgraded versions meet stricter validation standards. Support withdrawal isn’t arbitrary - it aligns with safety priorities. 

Continued operation requires compliance with updated requirements. It could be part of a broader pattern - security incidents tied to groups connected with North Korea have recently focused on infiltrating software development environments through indirect routes. Instead of breaking into main platforms, attackers often manipulate components already trusted within workflows. This shift toward subtle intrusion methods has made early identification more difficult. Detection lags because weaknesses hide inside approved tools. 

One sign points to coordinated efforts stretching across multiple targets. The method avoids obvious entry, favoring quiet access over force. Compromised updates act like unnoticed messengers. Such strategies thrive where verification is light. Hidden flaws emerge only after deployment. Trust becomes the weak spot. Observers note similar tactics appearing elsewhere in recent breaches. Indirect pathways now draw more attention than frontal assaults. Stealth matters more than speed. Systems appear intact until downstream effects surface. Monitoring grows harder when threats arrive disguised as normal operations. 

Besides digital safety issues, OpenAI now faces growing real-world dangers. In San Francisco, law enforcement took someone into custody after a suspected firebomb was thrown close to Chief Executive Sam Altman’s home, followed by further warnings seen near corporate offices. Though nobody got hurt, the events point to rising friction tied to artificial intelligence development. OpenAI collaborates with authorities, addressing risks across online and real-world domains. Strengthening internal safeguards remains an ongoing effort, shaped by evolving challenges. 

Instead of waiting for incidents, recent steps like requiring updated macOS versions aim to build confidence in their systems. This move comes before any verified leaks occur - its purpose lies in prevention, not damage control. OpenAI pushes further into business markets right now, with growing income expected from ad tech powered by artificial intelligence along with corporate offerings. 

At the same time, efforts such as the “Trained Access for Cyber” project move forward, delivering advanced cybersecurity tools driven by machine learning to carefully chosen collaborators. Still, the event highlights how today's cyber threats are becoming harder to manage, as flaws in shared software meet tangible dangers in practice. 

Notably, OpenAI’s actions follow a wider trend across tech - companies now prioritize tighter checks, quicker updates, sometimes reworking entire defenses before problems spread.
Read more »
UNC1069
Axios Backdoor Cyber Crime Data North Korea UNC1069

North Korean Hackers Target Axios, Steal Cryptocurrency in a Massive Attack


Threat actors from North Korea hacked software used by organizations in the US to steal cryptocurrency to fund North Korea's nuclear and missile programs. Experts found 135 devices across 12 organizations hacked; however, the list of victims can increase. The investigation may take months to uncover full details of the campaign. 

Axios attacked

Hackers targeted Axios, a famous open-source JavaScript library that developers use to oversee HTTP requests. The North Korean gang accessed organizations' systems via malware that opens backdoor access to OS. Hackers targeted two versions of Axios that were downloaded over 183 million times each week; organizations that downloaded it during the particular time period were exposed to the attack.

About the incident 

Hackers with ties to Pyongyang gained access to the account of a software engineer who oversees the open-source program Axios on Tuesday for at least three hours. According to the report, the attackers used that access to send infected updates to any company that had downloaded the software at the time. This caused the software developer to rush to take back control of his account while cybersecurity executives nationwide attempted to determine the extent of the damage.

The impact 

While the full damage may take months to fix, experts believe that hundreds of thousands of business secrets have already leaked, which can make it one of the worst data breaches. 

About UNC1069

The North Korean group, suspicious of hacking Axios is called UNC1069. Since 2018, the gang has attacked the finance industry. Mandiant believes that the hackers will "try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,"

Why are attacks on the rise from North Korea

Hacking has become a staple of North Korea. The revenue generated from these cyberattacks funds the country’s nuclear and missile programs to the point that these plans are half funded through hacking. In recent years, state-sponsored hackers have stolen billions of dollars from banks and cryptocurrency firms. This includes the infamous (and record-breaking) $1.5 billion crypto theft in 2025 in a single attack. 

Most deadly cyberattack in history

The recent attack was the most advanced supply chain effort to date, cleaning its tracks after installing the payload on the target device. It made detection difficult for developers who unknowingly downloaded the malicious software. Experts say that UNC1069 is not even trying to hide anymore, they just disappears before detection. 

Read more »
Windows
Axios Data Breach http library macOS malicious npm package social engineering attacks supply chain attacks Windows

Axios npm Breach Exposes Threat of Social Engineering Attacks on Open-Source Ecosystem

 



A security incident involving the widely used Axios HTTP library has revealed how attackers are increasingly targeting software maintainers themselves, rather than exploiting code vulnerabilities, to carry out large-scale supply chain attacks.

The issue came to light after Axios maintainers disclosed that an attacker gained access to a contributor’s npm account and used it to publish two compromised versions of the package, 1.14.1 and 0.30.4. These releases included a hidden dependency named plain-crypto-js, which deployed a remote access trojan across macOS, Windows, and Linux systems.

Although the malicious packages were available for only about three hours before being removed, the short exposure window does not reduce the severity. Any system that installed these versions is now considered unsafe. Users have been advised to immediately rotate all credentials, revoke authentication tokens, and assume full compromise of affected environments.

The Axios team confirmed that they have since secured their infrastructure by resetting credentials, cleaning impacted machines, and introducing additional safeguards to prevent similar incidents.

Further investigation by Google Threat Intelligence Group linked the activity to a North Korea-associated threat actor identified as UNC1069. This group, active since at least 2018, is believed to be financially motivated. Attribution was based on malware similarities, including the use of an updated toolset previously tied to the group, as well as overlaps in command-and-control infrastructure observed in earlier operations.


Social Engineering as the Entry Point

The compromise did not begin with a technical flaw. Instead, it started weeks earlier with a carefully orchestrated social engineering attack targeting Axios maintainer Jason Saayman.

Attackers posed as a legitimate organization by replicating its branding, leadership identities, and communication style. They invited the target into what appeared to be a genuine Slack workspace. This environment was not hastily assembled. It contained multiple channels, staged conversations, and curated activity, including links that redirected to real company LinkedIn profiles. Fake user accounts were also created to impersonate employees and known open-source contributors, increasing credibility.

After establishing trust, the attackers scheduled a video meeting that appeared to involve several participants. During the session, the target was shown what looked like a technical issue, specifically a connection-related error. He was then instructed to install an update presented as necessary to resolve the problem.

In reality, this “update” was malicious software that granted the attackers remote access to the system. Once inside, they were able to extract authentication credentials linked to the npm account.


Repeated Tactics Across Multiple Targets

Other maintainers later reported nearly identical experiences. In several cases, attackers attempted to persuade targets to install what they described as a Microsoft Teams software development kit update. When that approach failed, they escalated their efforts by asking victims to execute command-line instructions, including downloading and running scripts via Curl commands.

One such target, Pelle Wessman, described how attackers abandoned the interaction and deleted all communication after he refused to comply.

These methods align with a broader category of attacks sometimes referred to as “ClickFix” techniques, where victims are misled into resolving fake technical issues that ultimately result in malware execution.


Bypassing Security Controls

Because the attackers gained access to already authenticated sessions, they were able to bypass multi-factor authentication protections. This highlights a critical limitation of MFA, which is effective against credential theft but less effective once an active session is compromised.

Importantly, the attackers did not modify Axios’s source code directly. Instead, they inserted a malicious dependency into legitimate package releases, making the compromise significantly harder to detect during routine checks.


A Coordinated Supply Chain Campaign

Research from Socket indicates that this incident is part of a broader, coordinated campaign targeting maintainers across the Node.js ecosystem. Multiple developers, including contributors to widely used packages and even core components, reported receiving similar outreach messages through platforms such as LinkedIn and Slack.

The attackers followed a consistent pattern: initial contact, trust-building within controlled communication channels, followed by staged video calls where victims were prompted to install software or run commands under the pretense of fixing technical issues.

The scale of targeting is particularly concerning. Many of the developers approached are responsible for packages with billions of weekly downloads, meaning a single compromised account can have far-reaching consequences across the global software ecosystem.


Future Outlook 

This incident surfaces a new course in attacker strategy. Rather than focusing solely on software vulnerabilities, threat actors are increasingly exploiting human trust within high-impact projects. Open-source software, which underpins much of today’s digital infrastructure, becomes an attractive target due to its widespread adoption and reliance on maintainers.

Security experts warn that such attacks are likely to increase in frequency. Protecting against them will require not only technical safeguards, but also stronger operational discipline, including stricter access controls, hardware-based authentication, and heightened awareness of social engineering tactics.

The Axios breach ultimately demonstrates that in modern supply chain attacks, the weakest link is often not the code, but the people who maintain it.

Read more »
Malware attacks
Axios Cyber Security Cyberattacks Deceptive npm packages Global Supply Chain Security macOS Malware attacks

Axios Supply Chain Attack Exposes npm Security Gaps with Token-Based Compromise

 

A breach in the Axios library - one of many relied upon in modern web development - has exposed flaws that linger beneath surface-level fixes. Through stolen access, hackers slipped harmful updates into what users assumed was safe code. This event underscores how fragile trust can be, even when systems claim stronger defenses. Progress in verifying packages and securing logins appears incomplete, given such exploits still succeed. Confidence in tools like those hosted on npm remains shaken by failures that feel both avoidable and familiar. 

A lead developer’s extended-use npm token was accessed by hackers, reports show from Huntress and Wiz. Through this entry point, altered builds of Axios emerged - versions laced with hidden code deploying a multi-system remote control tool. Not limited to one environment, the harmful update reached machines running on macOS, Windows, or Linux setups. Lasting just under three hours, the rogue releases stayed active online until taken down. 

Axios ranks among the top tools in JavaScript, downloaded more than a hundred million times each week, found in roughly eight out of ten cloud setups. Moments after the tainted update went live, malware started spreading fast; Huntress later verified infection on 135 machines while the vulnerability was active. Hidden within a third-party addition, plain-crypto-js slipped into Axios’s environment without touching its main codebase. Not through direct changes but via a concealed payload activated after installation. 

Running quietly once set up, it triggered deployment of a remote access tool on developers’ systems. Built to avoid notice, the malicious code erased itself under certain conditions. Altered components were restored automatically, masking traces left behind. One reason this breach stands out lies in its method - evading defenses thought secure. Even after adopting standard safeguards like OIDC for verified publishing and robust supply chain models, outdated tools remained active. 

A leftover npm access key opened the door despite stronger systems being in place. Where two login paths existed, preference went to the original token, rendering recent upgrades useless under that condition. This is now the third significant breach of the npm supply chain in just a few months, after events such as the Shai-Hulud incident. 

Each time, hackers used compromised maintainer login details to gain access, revealing a recurring weakness across the system. Though security professionals highlight benefits of measures like multi-factor verification and origin monitoring, these fail to block every threat when login data is exposed. 

With growing pressure, companies must examine third-party links, apply tighter rules on software setup, yet phase out outdated access methods instead. When trust rests on open-source tools, weaknesses in how credentials are handled can still invite breaches. A single event shows flaws aren’t always in the code itself - sometimes they hide where access is managed.
Read more »
UNC1069
Axios Cyber Attacks NPM Package Social Engineering UNC1069

UNC1069 Uses Social Engineering to Hijack Axios npm Package via Maintainer

 



A sophisticated social engineering operation by UNC1069 has led to the compromise of the widely used Axios npm package, raising serious concerns across the JavaScript ecosystem. The attack targeted a member of the Axios project’s maintainer team by masquerading as a legitimate Apache Software Foundation representative, using forged email domains and a fake Jira‑style ticket management system to drive the victim into installing a malicious version of the Axios GitHub Assistant browser extension. 

Once installed, the extension granted UNC1069 broad access to the maintainer’s GitHub account, enabling them to introduce a malicious update to the Axios package and push the compromised code to npm. The attack chain highlights how trusted communication channels—such as seemingly official emails and project‑related ticketing systems—can be weaponized to bypass technical safeguards. By impersonating Apache staff and leveraging the perceived legitimacy of the GitHub Assistant tool, the threat actors manipulated the maintainer into unintentionally installing a malicious browser extension. 

The extension then captured the maintainer’s GitHub cookies and session tokens, which allowed UNC1069 to log in, survey the project, and ultimately publish a malicious version of Axios. This incident underscores that even projects with strong code‑review practices are vulnerable when human‑factor controls and identity‑verification steps are overlooked. Although the malicious Axios package was not directly downloaded more than a handful of times, the episode triggered a sharp spike in removals of older Axios releases from the npm registry. 

This suggests that many developers likely removed the package from projects preemptively to mitigate potential supply‑chain exposure. The fact that the malicious package was quickly removed after detection indicates that npm’s monitoring and incident‑response mechanisms responded promptly; however, the broader damage lies in the erosion of trust and the disruption to downstream projects that depend on Axios. Maintainers and organizations are now forced to revisit their authentication workflows and rethink how they verify communications from partners or foundation staff. A

xios has since published a security update and clarified that the malicious package was an isolated, short‑lived incident in the npm registry. The project’s team has emphasized the importance of using multi‑factor authentication, hardening account security, and limiting third‑party extension access to critical accounts. Security teams are also being advised to audit any browser extensions granted to corporate or critical‑project accounts and to treat unsolicited tools or utilities—especially those tied to “official” infrastructure—as potential red flags. Moving forward, the Axios team is expected to tighten collaboration rules with foundations and external organizations to reduce the risk of similar impersonation‑driven attacks. 

The UNC1069‑Axios incident serves as a stark reminder that software supply‑chain security is only as strong as its weakest human link. Social engineering continues to be a highly effective vector for attackers, especially when paired with technical infrastructure that appears legitimate. For developers and organizations, this event reinforces the need for layered defenses: robust technical safeguards, strict identity‑verification protocols, and continuous security awareness training. As open‑source projects become increasingly central to modern software stacks, protecting maintainers’ accounts and communication channels must be treated with the same urgency as protecting the code itself.
Read more »
Spear Phishing
Axios Data Breach Financial Loss Ransomware Attacks. Securities and Exchange Commission Sensitive Information Spear Phishing

Security Executives: Navigating Cyber Liability Risks

Businesses and organizations across all industries now prioritize cybersecurity as a top priority in an increasingly digital world. Following cyber threats and breaches, security executives are facing increasing liability issues, as reported in recent studies. In addition to highlighting the necessity of effective cybersecurity measures, the Securities and Exchange Commission (SEC) has been actively monitoring the activities of security leaders.

The SEC's recent complaint against a major corporation underscores the gravity of the situation. The complaint, filed in November 2023, alleges that the security executives failed to implement adequate measures to safeguard sensitive information, resulting in a significant data breach. The breach not only exposed sensitive customer data but also caused financial losses and reputational damage to the company. This case serves as a stark reminder that security executives can be held personally liable for lapses in cybersecurity.

As highlighted in the 2022 Axios report, boardroom cyber threats are becoming increasingly sophisticated, targeting high-level executives and their decision-making processes. Cybercriminals employ tactics such as social engineering, spear-phishing, and ransomware attacks to exploit vulnerabilities in organizational structures. This necessitates a comprehensive approach to cybersecurity that involves not only technological solutions but also robust policies, employee training, and incident response plans.

One invaluable resource for organizations striving to enhance their cybersecurity posture is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework provides a structured approach to managing and reducing cybersecurity risks. It outlines five key functions: Identify, Protect, Detect, Respond, and Recover. By following this framework, security executives can establish a clear roadmap for assessing and improving their organization's cybersecurity capabilities.

Security executives are dealing with an ever-growing amount of accountability in the field of cybersecurity. Reports and recent instances highlight the necessity of taking preventative action to reduce liability risks. An essential instrument for strengthening an organization's defenses against cyber threats is the implementation of the NIST Cybersecurity Framework. Organizations may better safeguard themselves, their stakeholders, and their reputations in an increasingly digital environment by implementing a comprehensive cybersecurity strategy.

Read more »
Silicon Valley
Axios Cyber Crime Hacking Sequoia Capital Silicon Valley

Sequoia Capital Told Investors it was Hacked

 

Sequoia Capital told its investors on Friday that some personal and financial data may have been accessed by a third party after one of its employees succumbed to a successful phishing assault, as per a report of Axios. Sequoia Capital is one of Silicon Valley's most seasoned and most successful venture capital firms with more than $38 billion in assets under management, as per Pitchbook data. The 49-year-old venture capital firm has invested in organizations like Airbnb, DoorDash, and 23andMe. It has likewise put resources into cybersecurity organizations like FireEye and Carbon Black, as indicated by its site. 

Sequoia was established by Don Valentine in 1972 in Menlo Park, California. During the 1990s, Valentine gave control of the organization to Doug Leone and Michael Moritz. In 1999, Sequoia extended its tasks to Israel. Sequoia Capital China was set up in 2005 as an offshoot to the U.S. firm. The organization is driven by Neil Shen. In 2006, Sequoia Capital procured Westbridge Capital Partners, an Indian venture capital firm. It later was renamed Sequoia Capital India. CB Insights perceived Sequoia Capital as the main funding firm in 2013. The U.S. firm had 11 accomplices as of 2016.

Sequoia told investors that it has not yet seen any sign that undermined data is being exchanged or in any case misused on the dark web, Axios reported. A Sequoia representative affirmed on Saturday that it had "recently experienced a cybersecurity incident" that its security team was investigating. It had additionally notified law enforcement and was working with outside cybersecurity experts, the firm said.

A Sequoia spokesperson said, "We recently experienced a cybersecurity incident. Our security team responded promptly to investigate, and we contacted law enforcement and engaged leading outside cybersecurity experts to help remediate the issue and maintain the ongoing security of our systems." He also said, "We regret that this incident has occurred and have notified affected individuals. We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats."

It doesn't create the impression that the hack was associated with the Solarwinds assaults, which incorporated a bigger breach of FireEye and has affected government agencies and large technology companies like Microsoft.
Read more »
Subscribe to: Posts (Atom)