GTIG: How Did North Korean Hackers Compromise Axios?

North Korean cyber attackers have surfaced again.

In yet another incident involving the active compromise of the software supply chain this year, Axios – a popular npm package that is widely used by developers for handling HTTP requests – was subject to tampering by bad actors. 

Researchers at Google Threat Intelligence Group (GTIG) have linked the incident to a North Korea-nexus threat actor, tracked as UNC1069.

Also known by aliases like CryptoCore or MASAN, UNC1069 is a financially motivated, state-sponsored threat actor nexus linked to North Korea that has been active since at least 2018. 

At the heart of the campaign is the compromise of a trusted open-source dependency, one that has more than 100 million weekly downloads. 

Users who installed the compromised NPM package would be served up with a remote access trojan (RAT) capable of conducting reconnaissance, executing remote commands and exfiltrating data. 

This sophisticated attack researchers note is still active.

Rafe Pilling, Director of Threat Intelligence at Sophos, writes on his LinkedIn: “If you use Axios hopefully you're already on top of this. 

“Analysis is ongoing but initial malware and infrastructure overlaps point to a North Korean threat group being behind this attack.”

How the attack unfolds

It was in the small hours past midnight on March 31 2026, that a mysterious file named “plain-crypto-js” was introduced into axios NPM releases versions 1.14.1 and 0.30.4.

This malicious file was a dropper, which deployed a backdoor called WAVESHAPER.V2 in Windows, macOS and Linux users. 

This addition was possible because of a previous compromise of a maintainer account linked with Axios. 

Once the new NPM package was installed by a user, setup.js – a JavaScript dropper – would run in the background. 

The sophistication in its execution is notable. 

The plain-crypto-js serves as a payload delivery vehicle, with the capability to inspect the target’s operating system to deliver platform-specific payload. 

The script carries a custom XOR and Base64-based string obfuscation to stay hidden from the user. 

Further, after the payload is delivered, setup.js attempts to delete itself and hide further forensic evidence of execution. 

Rising wave of open-source supply chain attacks

The Axios incident is not an isolated case but part of a broader surge in attacks targeting open-source ecosystems. 

Recent campaigns have shown how attackers can inject malicious code into legitimate development workflows, including package managers and continuous integration pipelines. 

This approach allows them to quietly harvest credentials, compromise systems and prepare for further exploitation.

Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, warns: “The impact of this attack is broad and has significant ripple effects, as countless other popular packages rely on axios as a dependency.”

“UNC1069 isn’t the only threat actor that has launched successful open-source supply chain attacks in recent weeks. 

“Other groups, such as TeamPCP (UNC6780), have recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations.”

The year of the supply chain 

Security experts believe the implications of these attacks could extend far beyond immediate breaches. 

Compromised credentials harvested through such campaigns may circulate widely, enabling future intrusions across cloud platforms and enterprise environments.

Austin adds: “2026 is quickly shaping up to be the year of the supply chain. 

“Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. 

“Over the near term, these compromised credentials could enable further software supply chain attacks, software-as-a-service (SaaS) environment compromises (leading to downstream customer breaches), ransomware and extortion events and cryptocurrency theft.”

This evolving threat landscape highlights how interconnected modern software development has become, with even a single compromised component capable of triggering cascading security failures.

What organisations should do next

In response to the Axios attack and similar incidents, cybersecurity teams are being urged to take proactive measures. 

This includes auditing dependencies, monitoring for unusual activity and ensuring rapid patching of vulnerable components.

Larsen emphasised the importance of swift action: “Defenders should pay close attention to these campaigns and enterprises should initiate dedicated efforts to assess the existing impact, remediate compromised systems and harden environments against future attacks.”

As supply chain threats continue to escalate, organisations must rethink their approach to software security.

Greater visibility, stronger controls and continuous vigilance will be essential to staying ahead of increasingly sophisticated adversaries.