Top stories.
- North Korean threat actor compromises axios npm package.
- Cisco hit by cyberattack following Trivy compromise,
- Business news: Airbus to acquire Ultra Cyber.
North Korean threat actor compromises axios npm package.
A North Korean threat actor yesterday inserted a malicious dependency into two npm releases for axios, the most popular JavaScript library for making HTTP requests, according to researchers at Google's Threat Intelligence Group (GTIG) and Mandiant. The two packages, versions 1.14.1 and 0.30.4, respectively have over 100 million and 83 million weekly downloads, and were compromised for about two hours. The malicious dependency was "an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux." The backdoor is designed to "collect system information, enumerate directories, or execute additional payloads."
Google attributes the attack to UNC1069, a financially motivated threat actor tied to North Korea. The researchers note that the impact of the attack "is broad and has ripple effects as other popular packages rely on axios as a dependency."
The report concludes, "GTIG urges all developers and organizations using the axios package to take immediate corrective action. Priority should be given to auditing dependency trees for compromised versions, isolating affected hosts, and rotating any potentially exposed secrets or credentials. Following initial containment, organizations must implement long-term hardening through strict version pinning and enhanced supply-chain monitoring."
Cisco hit by cyberattack following Trivy compromise,
Cisco sustained a cyberattack after threat actors used stolen credentials from the recent Trivy vulnerability scanner supply chain compromise to access its internal development environment, BleepingComputer reports. A source told BleepingComputer that the attackers used a malicious GitHub Action plugin from the Trivy breach to steal credentials and data from Cisco's build and development environment. Cisco's Unified Intelligence Center, CSIRT, and EOC contained the breach, which impacted dozens of devices. The compromised assets include multiple AWS access keys, more than 300 GitHub repositories, source code for AI-related and unreleased products, and customer repositories tied to banks, business process outsourcing firms, and US government agencies.
Cybernews notes that the ShinyHunters extortion group added Cisco to its list of victims yesterday, claiming to have stolen "over 3M Salesforce records containing PII (personally identifiable information), Github repositories, AWS buckets, and other internal corporate data." While the data hasn't been published, Cybernews believes the listing is related to the breach reported by BleepingComputer.
Business news: Airbus to acquire Ultra Cyber.
European aerospace giant Airbus has agreed to acquire UK-headquartered defense communications security provider Ultra Cyber. Airbus stated, "The acquisition allows Airbus to enhance its end-to-end cyber portfolio, complementing the existing UK sovereign capabilities of its cyber business based in Newport, Wales. With more than 200 employees in Ultra Cyber Ltd, primarily based in its state-of-the-art cyber centre of excellence in Maidenhead, Airbus is reinforcing its commitment to the UK as a core home nation of Airbus and its active role in maintaining the UK's digital security. This acquisition will join the growing Cyber activities within Airbus Defence and Space’s Connected Intelligence business unit and creates a scale UK sovereign cyber champion."
