Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

2026-04-01

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Google has attributed the supply chain attack on the Axios npm package to North Korean threat group UNC1069, which has been operational since 2018.

•Attackers seized control of the Axios maintainer's npm account and pushed two trojanized versions (1.14.1 and 0.30.4) containing a malicious dependency called "plain-crypto-js"
•The malicious package used a postinstall hook in package.json to silently execute a JavaScript dropper (SILKBELL) that delivers OS-specific payloads for Windows, macOS, and Linux
•The backdoor WAVESHAPER.V2 supports four commands: kill, rundir, runscript, and peinject, and beacons to a C2 server every 60 seconds
•WAVESHAPER.V2 is an evolution of a prior UNC1069 backdoor, now using JSON-based C2 communication and collecting more system information
•

Mitigation steps include auditing dependency trees, pinning Axios to a safe version, checking for plain-crypto-js in node_modules, blocking the C2 domain sfrclak[.]com, and rotating all credentials

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture