πŸ›‘οΈ Security Tools

North Korea's UNC1069 Turns Axios NPM into Cross-Platform Trapdoor

Google's just named North Korea's UNC1069 as the crew behind the Axios npm hijack. It's a slick supply chain play, dropping cross-platform backdoors on devs worldwide.

Marcus Rivera πŸ“… Apr 03, 2026 ⏱️ 4 min read πŸ‘οΈ 0 views
Elastic Security Labs diagram of UNC1069's Axios NPM supply chain attack payload flow

⚑ Key Takeaways

  • UNC1069 used a postinstall hook in plain-crypto-js for stealthy, cross-platform backdoor deployment via compromised Axios.
  • WAVESHAPER.V2 evolves prior malware with JSON C2, more commands, tying directly to North Korean ops since 2018.
  • Audit deps now: Pin Axios, block sfrclak.com, scan for traces β€” npm's trust model demands it.

🧠 What's your take on this?

Cast your vote and see what Threat Digest readers think

Marcus Rivera
Written by

Marcus Rivera

Tech journalist covering AI business and enterprise adoption. 10 years in B2B media.

#Axios npm attack #North Korea supply chain #WAVESHAPER backdoor #north korea hackers #supply chain compromise #unc1069

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox β€” no noise, no spam.

Originally reported by The Hacker News

Related Stories

πŸ“¬

Stay in the loop

The week's most important stories from Threat Digest, delivered once a week.

No spam. Unsubscribe any time.