thehackernews.com 4/1/2026, 8:30:15 AM · via preferred

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Developing story incident 3 articles tracked
Axios npm package supply chain attack attributed to North Korean UNC1069
CyberSIXT Evidence Panel
Primary Source cloud.google.com
Threat Actor
🇰🇵 UNC1069

ACCORDING to The Hacker News, Google has formally attributed the Axios npm supply chain compromise to a North Korean threat activity cluster tracked as UNC1069. Google Threat Intelligence Group (GTIG) chief analyst John Hultquist told THN that they have attributed the attack to a suspected North Korean actor.

The incident involved threat actors seizing control of the package maintainer’s npm account to push trojanised versions 1.14.1 and 0.30.4 containing a malicious dependency named plain-crypto-js, used to deliver a cross‑platform backdoor. The dropper, codenamed WAVESHAPER.V2, is delivered via a postinstall hook and can infect Windows, macOS and Linux systems, with the Windows branch using PowerShell, macOS a C++ Mach‑O binary, and Linux a Python backdoor.

Mitigation guidance includes auditing dependency trees, downgrading Axios to a known safe version, checking for plain-crypto-js in node_modules, terminating malicious processes, blocking the C2 domain, isolating affected systems and rotating credentials. The Axios attack is described as a scalable template by researchers, reflecting a threat actor’s preparation for broad deployment.

View Primary Source Via thehackernews.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline