Skip to main content
Emerging ThreatsMalware & Ransomware

North Korea-linked actor compromises axios NPM package

Shadowy figure lurks near laptop with tangled wires and broken padlock, amidst eerie city glow.

In the ever-evolving landscape of cybersecurity, a recent incident has raised concerns about the vulnerability of software supply chains. The question on everyone's mind is: can we trust the packages we download and use in our applications? A shocking discovery by Google Threat Intelligence Group (GTIG) has brought this issue to the forefront.

The Compromise

On March 31, 2026, GTIG observed a malicious dependency, "plain-crypto-js," introduced into the popular Node Package Manager (NPM) package "axios." Axios, a JavaScript library used to simplify HTTP requests, has over 100 million weekly downloads for its latest version and 83 million for an older version. The malicious dependency was added to axios NPM releases versions 1.14.1 and 0.30.4 between 00:21 and 03:20 UTC. According to GTIG, the attacker used a compromised maintainer account associated with the axios package, with the email address changed to an attacker-controlled account (ifstap@proton.me).

The threat actor employed a postinstall hook within the "package.json" file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, NPM automatically executes an obfuscated JavaScript dropper named "setup.js." This dropper deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems.

The Actor and Motivations

GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. The use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor, and overlaps with infrastructure used by UNC1069 in past activities support this attribution.

This incident highlights the risks associated with software supply chain attacks. As the axios package is widely used, the potential impact of this compromise is significant. The attackers' goal is likely financial gain, but the methods used also pose a risk to national security and individual users.

Mitigation and Future Risks

To mitigate this threat, defenders should identify and update vulnerable axios packages. Users and organizations must remain vigilant, regularly updating their dependencies and monitoring for suspicious activity. The incident also underscores the importance of secure package management and the need for robust security measures throughout the software supply chain.

As we consider the implications of this incident, we are left with a pressing question: how can we ensure the integrity of the software we rely on? The answer lies in a combination of robust security measures, vigilant monitoring, and a commitment to securing the software supply chain.

Read the original story from Google Cloud Threat Intelligence.