Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069.

"We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement.

"North Korean hackers have deep experience with supply chain attacks, which they've historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts."

The development comes after threat actors seized control of the package maintainer's npm account to push two trojanized versions 1.14.1 and 0.30.4 that introduced a malicious dependency named "plain-crypto-js" that's used to deliver a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.

Rather than introducing any code changes to Axios, the attack leverages a postinstall hook within the "package.json" file of the malicious dependency to achieve stealthy execution. Once the compromised Axios package is installed, npm automatically triggers the execution of malicious code in the background.

Specifically, the "plain-crypto-js" package functions as a "payload delivery vehicle" for an obfuscated JavaScript dropper dubbed SILKBELL ("setup.js"), which fetches the appropriate next-stage from a remote server based on the victim's operating system.

As previously detailed by The Hacker News, the Windows execution branch delivers PowerShell malware, a C++ Mach-O binary for macOS, and a Python backdoor for Linux systems. The dropper also performs a cleanup to remove itself and replace the "plain-crypto-js" package's "package.json" file with a clean version that does not have the postinstall hook.

Image Source: Elastic Security Labs

The backdoor, codenamed WAVESHAPER.V2, is assessed to be an updated version of WAVESHAPER, a C++ implant deployed by UNC1069 in attacks aimed at the cryptocurrency sector. The threat actor has been operational since 2018. The supply chain attack's links to UNC1069 were first flagged by Elastic Security Labs, citing functionality overlaps.

The three WAVESHAPER.V2 variants support four different commands, while beaconing to the command-and-control (C2) server at 60-second intervals -

  • kill, to terminate the malware's execution process.
  • rundir, to enumerate directory listings, along with file paths, sizes, and creation/modification timestamps.
  • runscript, to run AppleScript, PowerShell, or shell commands based on the operating system.
  • peinject, to decode and execute arbitrary binaries.

"WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to UNC1069," Mandiant and GTIG said. "While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands."

"Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories (e.g., /Library/Caches/com.apple.act.mond)." 

The links to North Korea are also bolstered by the fact that the macOS binary references developer build paths like "Jain_DEV/client_mac/macWebT/macWebT," where "macWebT" links directly to BlueNoroff's "webT" module from RustBucket and Hidden Risk malware campaigns in 2023 and 2024, according to researcher Giuseppe Massaro.

Taylor Long, senior analyst at GTIG, told The Hacker News that the use of supply chain attacks is not a new strategy for threat actors from the Democratic People's Republic of Korea (DPRK). "Several DPRK threat actors have a history of conducting supply chain compromises and leveraging malicious npm packages for cryptocurrency theft, while also continuing to rely on social engineering techniques," Long added.

What's currently unclear is the motivation behind the campaign. While UNC1069 is assessed to be financially driven, the attack activity stemming from the compromise of Axios does not explicitly involve cryptocurrency theft or ransomware deployment.

"We currently don’t have enough visibility into post-compromise activity to assess their motivation, but given what we know about UNC1069 and how DPRK threat actors are mandated to generate revenue, we're likely to see some financially-motivated attacks to emerge from this," Long said.

To mitigate the threat, users are advised to audit dependency trees for compromised versions (and downgrade to a safe version, if found), pin Axios to a known safe version in the "package-lock.json" file to prevent accidental upgrades, check for presence of "plain-crypto-js" in "node_modules," terminate malicious processes, block C2 domain ("sfrclak[.]com," IP address: 142.11.206[.]73), isolate affected systems, and rotate all credentials.

"The Axios attack should be understood as a template, not a one-time event. The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation," ReversingLabs Chief Software Architect Tomislav Peričin told The Hacker News.

"If this campaign is now appearing in PyPI and NuGet, that's consistent with what the attack mechanics already suggest: the goal was maximum developer reach. Organizations need to audit not just their npm dependencies, but every package manager feeding their build pipelines, and treat any secrets exposed in affected environments as compromised, regardless of which registry they touched."

Update

Microsoft has attributed the supply chain compromise to a North Korean state-sponsored threat actor it tracks as Sapphire Sleet (aka CryptoCore or CageyChameleon), an offshoot of BlueNoroff (aka Alluring Pisces, APT38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima, and TA444). It's assessed to be active since at least March 2020.

"The threat actor focuses primarily on the finance sector, including cryptocurrency, venture capital, and blockchain organizations," the company said. "The primary motivation of this actor is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms."

CrowdStrike, in its report, linked the incident to Stardust Chollima with moderate confidence based on the deployment of an updated variant of ZshBucket, a macOS malware previously identified as exclusively used by the adversarial collective.

"The observed macOS variant in this case extensively reuses code from previous instances, including function names," it said. "All variants retain characteristics of previous instances, including how it profiles the user and host of the operating system, and how it sends the collected information."

The new version of ZshBucket also iterates over the predecessor's functionality by implementing a common JSON-based messaging protocol for all platform-specific instances and adding commands that make it possible to binary payloads, execute arbitrary scripts and commands, enumerate the file system, and remotely terminate the implant.

According to the cybersecurity company, the supply chain attack leveraging updated ZshBucket variants is part of broader efforts undertaken by the threat actor to scale its campaigns. This is significant, not least because Stardust Chollima has demonstrated an increased operational tempo since the end of Q4 2025.

"Stardust Chollima's operations prioritize currency generation and regularly target cryptocurrency holders, and the adversary has also conducted widespread supply chain compromises impacting fintech companies' npm and PyPI repositories," it added. "The adversary's motivation probably aligns with this currency generation objective."

Veracode has since found evidence of possible spread via a mirrored package named "@depup/axios" that republished the compromised Axios version (1.14.1) just 17 minutes after its release.

"This indicates that the malware was quickly copied and spread by automated systems before it could be removed, possibly expanding its reach beyond npm itself," the company said in a statement shared with The Hacker News. "It also underscores that even short-lived supply chain attacks may persist through affected packages."

Additional analyses of the Axios supply chain incident, along with indicators of compromise, have been  published by various security vendors -

"The Axios npm compromise serves as a stark reminder of the compounding nature of supply chain attacks," Aaron Walton, senior threat intel analyst at Expel, told The Hacker News. "When a core package is compromised, the threat surface expands exponentially to include every downstream dependency, application, and environment that relies on it."

"High-profile incidents in March alone, including Trivy and LiteLLM, underscore the increasing frequency and severity of these exploits. While the cybersecurity community and maintainers are accelerating their response times, even a narrow window of exposure can lead to catastrophic data loss. Supply chain compromises are no longer 'outlier' events; they're a persistent reality. Organizations must shift from reactive response to proactive defense to protect their own data."

(The story was updated on April 3, 2026, to reflect the latest developments.)

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.