Ethical Hacking News
Google links Axios npm supply chain attack to North Korea-linked APT UNC1069, highlighting the group's growing activity in supply chain attacks targeting financial gain. The attackers exploited the package to spread remote access trojans across Linux, Windows, and macOS, compromising millions of projects. This incident demonstrates the importance of maintaining robust security measures and monitoring for suspicious activity in software packages used by developers.
Google attributes the recent Axios npm supply chain compromise to North Korea-linked threat group UNC1069. The attack aimed at financial gain exploited the package to target developers and organizations relying on Axios. The attackers compromised the npm account of Axios, publishing malicious versions with remote access trojans across Linux, Windows, and macOS. Multiple security firms identified the supply chain attack after the rogue updates appeared in the npm registry. Malicious versions of Axios were published without OIDC verification or matching GitHub commits, raising immediate red flags. A coordinated attack targeting Axios used obfuscation techniques to avoid detection and ran automatically during installation.
Google has attributed the recent Axios npm supply chain compromise to a North Korean threat group tracked as UNC1069, targeting financial gain. The attack, aimed at financial gain, exploited the package to target developers and organizations relying on Axios.
John Hultquist of Google Threat Intelligence confirmed the attribution, highlighting the group's growing activity in supply chain attacks. "GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor," reads the analysis by Google Threat Intelligence Group.
Furthermore, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities. "Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from a specific AstrillVPN node previously used by UNC1069," said Hultquist.
The attackers compromised the npm account of Axios, a widely used library with over 100M weekly downloads. They published malicious versions to spread remote access trojans across Linux, Windows, and macOS. Multiple security firms identified the supply chain attack after the rogue updates appeared in the npm registry.
Malicious versions of Axios (1.14.1 and 0.30.4) were published within an hour without OIDC verification or matching GitHub commits, raising immediate red flags. Researchers believe attackers compromised maintainer Jason Saayman's npm account.
"Anyone who installed either version before the takedown should assume their system is compromised," read a report published by Aikido Security. The malicious versions inject a dependency (plain-crypto-js) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux.
Socket researchers reported that a malicious package called was published and detected within minutes, likely as part of a coordinated attack targeting Axios. Attackers inserted this dependency into two compromised Axios versions, allowing malware to spread through a trusted library used by millions of projects.
Because many developers rely on automatic updates, affected versions could be installed without notice. The malicious code was designed to stay hidden. It used obfuscation techniques to avoid detection and ran automatically during installation through a post-install script. Once executed, it checked the operating system (Windows, macOS, or Linux) and downloaded a second-stage payload tailored to each platform.
Researchers confirmed that in the case of macOS, the delivery of a fully functional remote access trojan (RAT) capable of collecting system information, communicating with a command-and-control server, and executing commands. "Security researcher Joe Desimone from Elastic Security captured and reverse-engineered the macOS second-stage binary before the C2 went offline," reads the report published by Socket.
To avoid being discovered, the malware removed its own traces after running. It deleted installation files and restored clean-looking package content, making the infected library appear normal. The experts believe the attack was possible due to the compromise of a maintainer account, enabling unauthorized publishing of malicious updates.
In conclusion, Google has linked the recent Axios npm supply chain attack to North Korea-linked APT UNC1069, targeting financial gain. This incident highlights the growing threat of supply chain attacks and their potential for catastrophic consequences. It also underscores the importance of maintaining robust security measures and monitoring for suspicious activity in software packages used by developers.
Related Information:
https://www.ethicalhackingnews.com/articles/The-North-Korean-Connection-Axios-Npm-Supply-Chain-Attack-Linked-to-UNC1069-ehn.shtml
https://securityaffairs.com/190256/security/google-links-axios-npm-supply-chain-attack-to-north-korea-linked-apt-unc1069.html
https://www.helpnetsecurity.com/2026/04/01/north-korean-hackers-linked-to-axios-npm-supply-chain-compromise/
https://www.centraleyes.com/google-says-north-korea-was-behind-the-axios-npm-supply-chain-attack/
Published: Wed Apr 1 09:58:26 2026 by llama3.2 3B Q4_K_M
