Home > Security > Security News

Axios Supply Chain Attack Linked to North Korea-Affiliated Hackers UNC1069 by Google

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Malware Spreading Across Developer Environment
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Attribution confirmed: Google Threat Intelligence Group attributes the Axios supply chain attack to North Korea-linked hackers, specifically the threat actor UNC1069.
  • Account hijacked: An npm compromise of the lead maintainer's account allowed attackers to inject a malicious dependency delivering a remote access trojan.
  • Evasion tactics: The deployed malware automatically deletes itself after execution, replacing compromised files to evade detection and escalate global cybersecurity risks.

The Axios supply chain attack was formally attributed by Google Threat Intelligence Group (GTIG) to North Korea-linked hackers tracked as UNC1069. This highly sophisticated intrusion targeted the Node Package Manager (npm) ecosystem, compromising one of the most widely utilized JavaScript HTTP client libraries in the global software supply chain.

GTIG attributed this activity to UNC1069, a financially motivated North Korea-nexus threat actor tracked by Mandiant since 2018. Analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities, including the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor.

Axios npm Compromise

The Axios breach occurred on March 31, 2026, when a compromised npm account injected the malicious plain-crypto-js package into Axios versions 1.14.1 and 0.30.4. This dependency functioned as a multi-stage payload, installing a remote access trojan (RAT) capable of executing arbitrary commands and exfiltrating system data across Windows, macOS, and Linux environments. 

The core component, SILKBELL, in setup.js, dynamically checks the operating system to deliver platform-specific payloads that ultimately deploy variants of a C++ backdoor tracked by GTIG as WAVESHAPER.V2 targeting macOS, along with additional variants written in PowerShell and Python to target diverse environments.

The backdoor targeting macOS collects system information, enumerates directories, executes additional payloads, and connects to the C2 provided via command-line arguments, GTIG identified. WAVESHAPER.V2 acts as a fully functional RAT with the following capabilities:

Escalating Global Cybersecurity Risks

With Axios recording approximately 100 million weekly downloads, this incident severely amplifies global cybersecurity risks. Demonstrating advanced evasion capabilities, the malware was engineered to delete itself post-execution and replace the infected files with a clean version of the tool, effectively masking the intrusion.

TeamPCP (also known as UNC6780) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate extortion operations. 

Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks, said GTIG, adding that this could “enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term.

Software developers and network administrators must immediately audit their dependency trees, isolate affected hosts, and rotate any potentially exposed secrets or credentials to mitigate the risk of this severe network compromise, and then enforce strict version pinning and enhanced supply-chain monitoring.

In other recent news, a Mercor AI cyberattack was linked to the LiteLLM compromise, with Lapsus$ claiming the breach.

Add a Comment
Related
NSW Police Cybercrime Squad Busts $80 Million Dark Net Drug Syndicate
Suspected Iran-Nexus Password Spray Attack Targets Microsoft 365 Users in the UAE and Israel
Mercor AI Cyberattack Tied to LiteLLM Project Compromise, Lapsus$ Claims Breach
Novel DeepLoad Malware Campaign: ClickFix and Possible AI-Backed Evasion
Screen, codes, lock, break, man
Axios Supply Chain Attack Deploys Cross-Platform RAT
Malicious Chrome Extensions Steal User Data Through Fake Free VPN Tools
Apple Removes VPN Clients from Russian App Store Amid Telegram Crackdown, Reports Say
Most Popular
NSW Police Cybercrime Squad Busts $80 Million Dark Net Drug Syndicate
Suspected Iran-Nexus Password Spray Attack Targets Microsoft 365 Users in the UAE and Israel
Proton VPN server expansion reaches five new countries
Proton VPN Expands Server Network to Five New Countries Following User Demand
Russia VPN Crackdown Plans Expand Internet Control Measures
Russia VPN Crackdown Plans Expand Internet Control Measures
IPVanish Introduces Threat Protection Pro for Always-On Device Security
IPVanish Introduces Threat Protection Pro for Always-On Device Security
Mercor AI Cyberattack Tied to LiteLLM Project Compromise, Lapsus$ Claims Breach
NSW Police Cybercrime Squad Busts $80 Million Dark Net Drug Syndicate
Suspected Iran-Nexus Password Spray Attack Targets Microsoft 365 Users in the UAE and Israel
Proton VPN Expands Server Network to Five New Countries Following User Demand
Russia VPN Crackdown Plans Expand Internet Control Measures
IPVanish Introduces Threat Protection Pro for Always-On Device Security
Mercor AI Cyberattack Tied to LiteLLM Project Compromise, Lapsus$ Claims Breach

Most Popular
NSW Police Cybercrime Squad Busts $80 Million Dark Net Drug Syndicate
Suspected Iran-Nexus Password Spray Attack Targets Microsoft 365 Users in the UAE and Israel
Proton VPN server expansion reaches five new countries
Proton VPN Expands Server Network to Five New Countries Following User Demand
Russia VPN Crackdown Plans Expand Internet Control Measures
Russia VPN Crackdown Plans Expand Internet Control Measures
IPVanish Introduces Threat Protection Pro for Always-On Device Security
IPVanish Introduces Threat Protection Pro for Always-On Device Security
Mercor AI Cyberattack Tied to LiteLLM Project Compromise, Lapsus$ Claims Breach
NSW Police Cybercrime Squad Busts $80 Million Dark Net Drug Syndicate
Suspected Iran-Nexus Password Spray Attack Targets Microsoft 365 Users in the UAE and Israel
Proton VPN Expands Server Network to Five New Countries Following User Demand
Russia VPN Crackdown Plans Expand Internet Control Measures
IPVanish Introduces Threat Protection Pro for Always-On Device Security
Mercor AI Cyberattack Tied to LiteLLM Project Compromise, Lapsus$ Claims Breach

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: