North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

2026-03-31

21 min read

by Google Threat Intelligence Group

Tags:

Threat Intelligence

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Google Threat Intelligence Group (GTIG) details an active supply chain attack on the axios NPM package attributed to North Korea-linked threat actor UNC1069.

•Attacker compromised the axios maintainer account and introduced malicious dependency "plain-crypto-js" into versions 1.14.1 and 0.30.4 on March 31, 2026
•The malicious package used a postinstall hook to silently execute an obfuscated dropper (setup.js / SILKBELL) that delivers OS-specific payloads for Windows, macOS, and Linux
•Final payload is WAVESHAPER.V2, a C++ backdoor (with PowerShell and Python variants) that beacons to C2 every 60 seconds and supports commands: kill, rundir, runscript, and peinject
•Attribution to UNC1069 is based on WAVESHAPER.V2 lineage, shared C2 infrastructure, and AstrillVPN node overlap with prior UNC1069 operations

North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture