North Korean hackers behind axios critical supply chain attack, Google says

Published: 1 April 2026
north-korea-axios
Image by Cybernews.

It didn’t take long for Google researchers to implicate North Korean hackers in an ongoing compromise of the widely used open-source package, axios. The immediate danger is over, analysts say, but the incident could have far-reaching impacts.

According to Google researchers, the recent activity could be linked to a North Korean group tracked as UNC1069, which has previously targeted cryptocurrency and decentralized finance companies.

“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” said John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG).

ADVERTISEMENT

“The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts.”

UNC1069 footprints found

Indeed, axios is a hugely popular JavaScript library with 100 million weekly downloads, present in about 80% of cloud and code environments.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

When a maintainer account for the axios npm package was compromised in the early hours of March 31st, allowing attackers to publish malicious versions of the software targeting macOS, Windows, and Linux systems, the compromised versions were discovered and removed within about 3 hours.

But despite the speed of the discovery, Wiz, a cloud security company, has observed the malicious versions in roughly 3% of the environments it has scanned.

That’s a lot of projects the infected code can persist in, so organizations are strongly advised to audit their environments for potential execution of these versions.

According to GTIG, the malicious activity can be attributed to UNC1069, a financially motivated threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of a WAVESHAPER backdoor written in C++ and previously used by the same group.

ADVERTISEMENT
Axios chain attack
axios is a hugely popular JavaScript library with 100 million weekly downloads. Image by Cybernews.

“Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities,” said the researchers in a blog post.

For example, analysis of the command and control revealed connections from a specific AstrillVPN node previously used by UNC1069, GTIG explained.

The open-source security crisis deepens

It remains unclear how the attackers gained access to the maintainer’s GitHub account. But the deed has been done, and, according to GTIG, the impact of this attack is bound to have ripple effects as other popular packages rely on axios as a dependency.

“Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks,” said the researchers.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites
Ad 1Password 1Password 1Password 1Password

“This could enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term.”

Experts responding to the hack have already told CNN that they expect a long-term campaign to steal cryptocurrency to fund the North Korean regime, which often spends such stolen money on its nuclear and missile programs.

According to GTIG, supply chain compromise is, of course, a particularly dangerous tactic because it abuses the inherent trust that users and enterprise administrators place in hardware, software, and updates supplied by reputable vendors – “as well as the trust they may not realize they are placing in collaborative code-sharing communities.”

ADVERTISEMENT

Indeed, we’re now facing a deep open-source security crisis, it seems.

Each successful breach hands attackers fresh credentials and initial access to further repositories.

Over the past month, a domino effect of supply chain attacks has brought down major repositories. A threat actor, TeamPCP, infiltrated Trivy, a popular security tool, which led to the compromise of LiteLLM, a very popular Python library. Later, the hackers injected malware into Telnyx.

It remains unclear whether the axios attack is related to earlier compromises, but each successful breach hands attackers fresh credentials and initial access to further repositories.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked