What is the Axios NPM supply chain attack?

North Korea's UNC1069 compromised axios versions 1.14.1 and 0.30.4, injecting plain-crypto-js to drop WAVESHAPER.V2 backdoor via postinstall.

How do I check if my project has the malicious Axios?

Run 'npm ls axios'—flag 1.14.1/0.30.4. Scan for plain-crypto-js or sfrclak.com IOCs. Update to patched versions immediately.

Will North Korean hackers target more NPM packages?

Absolutely—financial motives plus easy access mean top libs are prime. Vet deps rigorously; expect copycats.

🌐 Nation-State Threats

North Korea's UNC1069 Turns Axios into a Global Backdoor Dropper

Imagine installing a routine NPM update—and unwittingly inviting North Korean hackers into your machine. That's exactly what UNC1069 did to Axios, the HTTP kingpin with 100M+ weekly downloads.

theAIcatchup Apr 08, 2026 3 min read

Code snippet of malicious Axios NPM postinstall hook deploying North Korean backdoor

⚡ Key Takeaways

UNC1069 compromised Axios maintainer, using postinstall hooks to drop cross-platform WAVESHAPER.V2 backdoor. 𝕏
Attack hits Windows, macOS, Linux via OS-specific loaders from sfrclak[.]com C2. 𝕏
Unique insight: Signals DPRK shift to monetized supply chain farming—audit deps now to avoid the harvest. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#Axios npm attack #north korea hacking #supply chain compromise #unc1069

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Mandiant Blog

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

North Korea's UNC1069 Turns Axios NPM into Cross-Platform Trapdoor

UNC1069's AI Deepfake Zoom Trap: Seven Malware Families Hit Crypto Hard

North Korean Hackers' Slick Slack Trick: Inside the Axios npm Compromise

LiteLLM's PyPI Poison: How Hackers Turned an AI Gateway into a Secret-Scavenger

Stay in the loop