CP
cyberpings
Threat IntelHIGH

Google Attributes Axios npm Supply Chain Attack to UNC1069

Featured image for Google Attributes Axios npm Supply Chain Attack to UNC1069
THThe Hacker News
UNC1069AxiosWAVESHAPERsupply chain attackNorth Korea
🎯

Basically, hackers took control of a popular software package to spread malware.

Quick Summary

The Threat Google has officially attributed the recent supply chain attack on the Axios npm package to a North Korean threat group known as UNC1069. This group is notorious for its financially motivated cyber activities, particularly targeting the cryptocurrency sector. The attack involved the compromise of the package maintainer's npm account, allowing attackers to push two malicious versions of

The Threat

Google has officially attributed the recent supply chain attack on the Axios npm package to a North Korean threat group known as UNC1069. This group is notorious for its financially motivated cyber activities, particularly targeting the cryptocurrency sector. The attack involved the compromise of the package maintainer's npm account, allowing attackers to push two malicious versions of Axios. These versions introduced a hidden dependency called plain-crypto-js, which serves as a vehicle for delivering a sophisticated backdoor.

The malicious code exploits a postinstall hook in the package, executing stealthily once the compromised Axios package is installed. This method is particularly insidious, as it does not alter the original Axios code but instead leverages the installation process to execute the attack. The backdoor, named WAVESHAPER.V2, is an evolution of a previous version and is designed to infect multiple operating systems, including Windows, macOS, and Linux.

Who's Behind It

The attack has been linked to UNC1069, a group that has been operational since 2018. They have a history of using supply chain attacks to infiltrate systems and steal cryptocurrency. According to John Hultquist, chief analyst at Google Threat Intelligence Group, this incident showcases the group's advanced capabilities in executing such attacks. The malicious payloads are designed to fetch additional malicious components based on the victim's operating system, demonstrating a high level of operational sophistication.

The group’s ability to compromise maintainer credentials and deploy pre-staged payloads across different platforms in a short time frame indicates a well-planned operation. This is not just a one-off event; it represents a broader trend in cyber threats, particularly in the software development ecosystem.

Tactics & Techniques

The attack utilizes a cross-platform backdoor that can execute commands on infected systems. The WAVESHAPER.V2 backdoor supports several commands, including:

  • kill: to terminate the malware process.
  • rundir: to list directories and file details.
  • runscript: to execute scripts based on the OS.
  • peinject: to run arbitrary binaries.

These capabilities allow attackers to maintain control over infected systems and execute further malicious activities. The backdoor communicates with a command-and-control (C2) server, polling for instructions every 60 seconds. This constant communication enables attackers to adapt their tactics based on the environment of the compromised system.

Defensive Measures

To mitigate the risk posed by this attack, developers and organizations should take immediate action. Here are some recommended steps:

  • Audit dependency trees for any compromised versions of Axios and downgrade if necessary.
  • Pin Axios to a known safe version in the package-lock.json file to prevent accidental upgrades.
  • **Check for the presence of

🔒 Pro insight: Analysis pending for this article.

Original article from

THThe Hacker News
Read Full Article

Share

Related Pings

HIGHThreat Intel

AI Bugpocalypse - North Korean Backdoor and Cisco Breach

The Threat In a startling turn of events, North Korean hackers have embedded a backdoor in a widely-used npm package, which boasts over 100 million downloads per week. This incident underscores the growing sophistication of cyber threats, particularly from state-sponsored actors. The implications of such a breach are severe, as it could potentially compromise countless applications relying on this

Risky Business·
HIGHThreat Intel

March 2026 Security News - Key Cyber Threats Recapped

March 2026 brought significant cybersecurity threats, including a major attack on Stryker and rising ransomware incidents. Organizations must enhance their cyber-resilience plans to combat these challenges.

WeLiveSecurity (ESET)·
HIGHThreat Intel

North Korea-Nexus Threat Actor Compromises Axios NPM Package

A North Korea-linked threat actor has compromised the axios NPM package. This attack affects millions of users and highlights serious supply chain vulnerabilities. Immediate action is required to secure affected systems.

Mandiant Threat Intel·
HIGHThreat Intel

macOS Feature - Prevents ClickFix Compromise Attacks

Apple's latest macOS feature helps prevent ClickFix attacks by alerting users before executing risky commands. This is vital for protecting user data from phishing threats. Stay safe and informed with this new security measure.

SC Media·
HIGHThreat Intel

Supply Chain Attack - Axios npm Package Compromised

A major supply chain attack has compromised the Axios npm package, affecting millions of applications. Users are at risk due to malicious versions published in a short time frame. Immediate action is needed to secure systems and prevent exploitation.

Arctic Wolf Blog·
HIGHThreat Intel

LiteLLM Supply Chain Compromise - TeamPCP's Attack Unveiled

The Threat The recent compromise of LiteLLM, a widely-used AI proxy package, has revealed a significant threat in the cybersecurity landscape. Orchestrated by the criminal group TeamPCP, this multi-ecosystem supply chain attack is one of the most sophisticated documented to date. The attack exploited vulnerabilities in developer tooling and targeted LiteLLM, which serves as a gateway to various LLM

Trend Micro Research·