Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Summary

Google's Threat Intelligence Group formally attributed the Axios npm package compromise to UNC1069, a financially motivated North Korean threat actor. The attack involved trojanized versions 1.14.1 and 0.30.4 that delivered a malicious "plain-crypto-js" dependency with a JavaScript dropper (SILKBELL) and cross-platform backdoor (WAVESHAPER.V2) targeting Windows, macOS, and Linux. The sophisticated operation included pre-staged payloads, compromised maintainer credentials, and forensic self-destruction capabilities, indicating a scalable, planned campaign likely targeting cryptocurrency and developer ecosystems.

Full text

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 Ravie LakshmananApr 01, 2026Threat Intelligence / Software Security Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean hackers have deep experience with supply chain attacks, which they've historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts." The development comes after threat actors seized control of the package maintainer's npm account to push two trojanized versions 1.14.1 and 0.30.4 that introduced a malicious dependency named "plain-crypto-js" that's used to deliver a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems. Rather than introducing any code changes to Axios, the attack leverages a postinstall hook within the "package.json" file of the malicious dependency to achieve stealthy execution. Once the compromised Axios package is installed, npm automatically triggers the execution of malicious code in the background. Specifically, the "plain-crypto-js" package functions as a "payload delivery vehicle" for an obfuscated JavaScript dropper dubbed SILKBELL ("setup.js"), which fetches the appropriate next-stage from a remote server based on the victim's operating system. As previously detailed by The Hacker News, the Windows execution branch delivers PowerShell malware, a C++ Mach-O binary for macOS, and a Python backdoor for Linux systems. The dropper also performs a cleanup to remove itself and replace the "plain-crypto-js" package's "package.json" file with a clean version that does not have the postinstall hook. Image Source: Elastic Security Labs The backdoor, codenamed WAVESHAPER.V2, is assessed to be an updated version of WAVESHAPER, a C++ backdoor deployed by UNC1069 in attacks aimed at the cryptocurrency sector. The threat actor has been operational since 2018. The supply chain attack's links to UNC1069 were first flagged by Elastic Security Labs, citing functionality overlaps. The three WAVESHAPER.V2 variants support four different commands, while beaconing to the command-and-control (C2) server at 60-second intervals - kill, to terminate the malware's execution process. rundir, to enumerate directory listings, along with file paths, sizes, and creation/modification timestamps. runscript, to run AppleScript, PowerShell, or shell commands based on the operating system. peinject, to decode and execute arbitrary binaries. "WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to UNC1069," Mandiant and GTIG said. "While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands." "Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories (e.g., /Library/Caches/com.apple.act.mond)." To mitigate the threat, users are advised to audit dependency trees for compromised versions (and downgrade to a safe version, if found), pin Axios to a known safe version in the "package-lock.json" file to prevent accidental upgrades, check for presence of "plain-crypto-js" in "node_modules," terminate malicious processes, block C2 domain ("sfrclak[.]com," IP address: 142.11.206[.]73), isolate affected systems, and rotate all credentials. "The Axios attack should be understood as a template, not a one-time event. The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation," ReversingLabs Chief Software Architect Tomislav Peričin told The Hacker News. "If this campaign is now appearing in PyPI and NuGet, that's consistent with what the attack mechanics already suggest: the goal was maximum developer reach. Organizations need to audit not just their npm dependencies, but every package manager feeding their build pipelines, and treat any secrets exposed in affected environments as compromised, regardless of which registry they touched." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cryptocurrency, cybersecurity, Malware, North Korea, NPM, software security, supply chain attack, Threat Intelligence Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• domain — sfrclak.com
• ip — 142.11.206.73
• malware — WAVESHAPER.V2
• malware — SILKBELL
• malware — plain-crypto-js