Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Axios Supply Chain Attack: A Look into the North Korean-Linked Threat Actor UNC1069



Google has attributed a supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. The attack leverages compromised maintainer credentials, pre-staged payloads for multiple operating systems, and built-in forensic self-destruction to achieve scalability in its malicious operations.

  • North Korean hackers attributed to a supply chain compromise of the Axios npm package.
  • Axios maintainer's account was seized, pushing trojanized versions of the package with a malicious dependency.
  • The attack delivered PowerShell malware for Windows, a C++ Mach-O binary for macOS, and a Python backdoor for Linux.
  • The threat actor is believed to be an updated version of WAVESHAPER, a C++ backdoor deployed by UNC1069.
  • Organizations advised to audit npm dependencies, treat exposed secrets as compromised, and take mitigation steps such as downgrading or pinning safe versions.



    • Google has formally attributed a supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. This development is significant, as it highlights the growing sophistication and reach of North Korean hackers in the realm of software supply chain attacks.

    The attack in question began when threat actors seized control of the package maintainer's npm account, pushing two trojanized versions 1.14.1 and 0.30.4 that introduced a malicious dependency named "plain-crypto-js". This package functions as a "payload delivery vehicle" for an obfuscated JavaScript dropper dubbed SILKBELL ("setup.js"), which fetches the appropriate next-stage from a remote server based on the victim's operating system.

    Specifically, the Windows execution branch delivers PowerShell malware, a C++ Mach-O binary for macOS, and a Python backdoor for Linux systems. The dropper also performs a cleanup to remove itself and replace the "plain-crypto-js" package's "package.json" file with a clean version that does not have the postinstall hook.

    The threat actor behind this attack is assessed to be an updated version of WAVESHAPER, a C++ backdoor deployed by UNC1069 in attacks aimed at the cryptocurrency sector. This threat actor has been operational since 2018 and has demonstrated expertise in supply chain attacks.

    As ReversingLabs Chief Software Architect Tomislav Peričin noted, "The Axios attack should be understood as a template, not a one-time event. The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation."

    Furthermore, Peričin emphasized the importance of organizations taking proactive measures to audit not just their npm dependencies but every package manager feeding their build pipelines. He advised treating any secrets exposed in affected environments as compromised, regardless of which registry they touched.

    In light of this attack, users are advised to take various mitigation steps to protect themselves from potential exploitation. These include auditing dependency trees for compromised versions and downgrading to a safe version if found, pinning Axios to a known safe version in the "package-lock.json" file to prevent accidental upgrades, checking for presence of "plain-crypto-js" in "node_modules", terminating malicious processes, blocking C2 domain ("sfrclak[.]com," IP address: 142.11.206[.]73), isolating affected systems, and rotating all credentials.

    The incident serves as a stark reminder of the ongoing cat-and-mouse game between threat actors and organizations in the realm of software supply chain attacks. As the landscape continues to evolve, it is essential for individuals and businesses to remain vigilant and proactive in safeguarding themselves against such threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Axios-Supply-Chain-Attack-A-Look-into-the-North-Korean-Linked-Threat-Actor-UNC1069-ehn.shtml

  • https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html

  • https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package

  • https://cybersecsentinel.com/axios-npm-backdoored-unc1069-deploys-cross-platform-rat-via-supply-chain-attack/

  • https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

  • https://www.sofx.com/north-korean-hackers-inject-malware-into-axios-npm-package-used-by-millions-of-developers/


    • Published: Wed Apr 1 05:15:22 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us