North Korean Hackers Target Axios in NPM Supply Chain Attack
Basically, North Korean hackers hacked an important software library to steal data from many apps.
A significant supply chain attack compromised Axios npm packages, linked to North Korean hackers. Millions of applications could be at risk due to this breach. Security experts urge immediate action to mitigate potential impacts.
The Threat
On March 31, 2026, a significant software supply chain attack occurred, targeting the widely used Axios npm packages. This attack is believed to be orchestrated by financially motivated North Korean hackers, specifically linked to the group known as UNC1069. The attackers gained access to a maintainer's npm account, allowing them to publish two backdoored versions of the Axios library. These malicious packages contained hidden dependencies designed to execute a post-install script that could download and run additional payloads from the attackers' infrastructure.
The sophistication of this attack highlights the capabilities of the threat actors involved. The injected code was minimal, cleverly designed to evade detection, and relied on external dependencies to execute malicious actions. This stealthy approach makes it difficult for developers and security tools to identify the compromise quickly.
Who's Behind It
The attribution of this attack was made by researchers from Google Threat Intelligence Group (GTIG) and Mandiant. They traced the backdoor deployed on victim systems and the command and control (C2) infrastructure used by the attackers. The malicious payload, tracked as WAVESHAPER.V2, is a remote access trojan capable of reconnaissance and executing additional commands on compromised systems. Variants of this backdoor have been developed in multiple programming languages, targeting different operating systems including macOS, Windows, and Linux.
UNC1069 has been active since at least 2018, primarily focusing on stealing cryptocurrency. Their history of targeting organizations for financial gain raises concerns about the potential impact of this recent supply chain compromise.
What's at Risk
Although the malicious Axios npm packages were available for less than three hours, the impact is expected to be wide-reaching. Axios is a popular HTTP client library used in millions of applications, and many organizations may have inadvertently pulled the compromised versions into their build environments during this brief window. Even systems that did not directly install Axios could be affected if other packages depended on the compromised versions.
The potential for downstream risks is significant, as attackers could exploit these vulnerabilities to steal sensitive data or further infiltrate affected environments. Security experts emphasize that this incident serves as a wake-up call for organizations relying on open-source libraries in their development processes.
Recommended Actions
In light of this attack, security companies are advising developers and organizations to take immediate action. They recommend reviewing and auditing npm packages in use, particularly those that may have been installed during the exposure window. Implementing threat detection rules and enhancing security measures can help prevent similar attacks in the future.
Organizations should also assess their existing security posture, remediate any compromised systems, and harden their environments against potential future threats. The broader implications of this attack underline the importance of vigilance in the face of evolving cyber threats, especially from well-resourced adversaries like North Korean hackers.