ACCORDING to The Hacker News, Google has formally attributed the Axios npm supply chain compromise to a North Korean threat activity cluster tracked as UNC1069. Google Threat Intelligence Group (GTIG) chief analyst John Hultquist told THN that they have attributed the attack to a suspected North Korean actor.
The incident involved threat actors seizing control of the package maintainer’s npm account to push trojanised versions 1.14.1 and 0.30.4 containing a malicious dependency named plain-crypto-js, used to deliver a cross‑platform backdoor. The dropper, codenamed WAVESHAPER.V2, is delivered via a postinstall hook and can infect Windows, macOS and Linux systems, with the Windows branch using PowerShell, macOS a C++ Mach‑O binary, and Linux a Python backdoor.
Mitigation guidance includes auditing dependency trees, downgrading Axios to a known safe version, checking for plain-crypto-js in node_modules, terminating malicious processes, blocking the C2 domain, isolating affected systems and rotating credentials. The Axios attack is described as a scalable template by researchers, reflecting a threat actor’s preparation for broad deployment.