{"id":455,"date":"2026-04-01T08:30:16","date_gmt":"2026-04-01T08:30:16","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=455"},"modified":"2026-04-01T08:30:16","modified_gmt":"2026-04-01T08:30:16","slug":"google-attributes-axios-npm-supply-chain-attack-to-north-korean-group-unc1069","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=455","title":{"rendered":"Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 01, 2026<\/span><\/span>Threat Intelligence \/ Software Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Google has formally attributed<\/a> the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069<\/strong>.<\/p>\n

\u00abWe have attributed the attack to a suspected North Korean threat actor we track as UNC1069,\u00bb John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement.<\/p>\n

\u00abNorth Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.\u00bb<\/p>\n

The development comes after threat actors seized control of the package maintainer’s npm account to push two trojanized versions 1.14.1 and 0.30.4 that introduced a malicious dependency named \u00abplain-crypto-js\u00bb that’s used to deliver a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Rather than introducing any code changes to Axios, the attack leverages a postinstall hook within the \u00abpackage.json\u00bb file of the malicious dependency to achieve stealthy execution. Once the compromised Axios package is installed, npm automatically triggers the execution of malicious code in the background.<\/p>\n

<\/p>\n

Specifically, the \u00abplain-crypto-js\u00bb package functions as a \u00abpayload delivery vehicle\u00bb for an obfuscated JavaScript dropper dubbed SILKBELL (\u00absetup.js\u00bb), which fetches the appropriate next-stage from a remote server based on the victim’s operating system.<\/p>\n

As previously detailed by The Hacker News, the Windows execution branch delivers PowerShell malware, a C++ Mach-O binary for macOS, and a Python backdoor for Linux systems. The dropper also performs a cleanup to remove itself and replace the \u00abplain-crypto-js\u00bb package’s \u00abpackage.json\u00bb file with a clean version that does not have the postinstall hook.<\/p>\n\n\n\n\n
\"\"<\/a><\/td>\n<\/tr>\n
Image Source: Elastic Security Labs<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The backdoor, codenamed WAVESHAPER.V2, is assessed to be an updated version of WAVESHAPER, a C++ backdoor deployed by UNC1069 in attacks aimed at the cryptocurrency sector. The threat actor has been operational since 2018. The supply chain attack’s links to UNC1069 were first flagged by Elastic Security Labs, citing functionality overlaps.<\/p>\n

The three WAVESHAPER.V2 variants support four different commands, while beaconing to the command-and-control (C2) server at 60-second intervals –<\/p>\n