GOOGLE has attributed the Axios npm supply chain compromise to a North Korean threat group tracked as UNC1069, in a move described as identifying the attackers as financially motivated. According to Google Threat Intelligence Group, UNC1069 has been active since at least 2018, with WAVESHAPER.V2 and related infrastructure cited as links to the group’s operations.
The rogue updates were published to the Axios npm package, which has over 100 million weekly downloads, and researchers noted that the malicious versions deployed a cross-platform remote access trojan across macOS, Windows and Linux. Analysts said the attack involved compromising Axios maintainer accounts to publish the malicious updates, and that the malware used obfuscation and a post-install script to run automatically.
The impact remains unclear, but Google and others warned that the incident could have broad ripple effects given Axios’ popularity and the potential exposure of downstream projects. UNC1069 has previously been associated with supply chain activities tied to cryptocurrency theft and other operations, according to the analysis released by Google.