What is the Axios npm supply chain attack?

Google-attributed hack by North Korean UNC1069: They took over the maintainer account, pushed malicious Axios versions with a hidden backdoor dependency.

How to check if my project has the compromised Axios?

Run `npm ls axios` — look for 1.14.1 or 0.30.4. Scan node_modules for plain-crypto-js. Downgrade and pin safe versions.

Is UNC1069 only after cryptocurrency?

Historically yes, but this attack's motives are fuzzy — expect financial plays, DPRK revenue ops.

🛡️ Security Tools

North Korea's UNC1069 Turns Axios NPM into Cross-Platform Trapdoor

Google's just named North Korea's UNC1069 as the crew behind the Axios npm hijack. It's a slick supply chain play, dropping cross-platform backdoors on devs worldwide.

Threat Digest Apr 03, 2026 4 min read

Elastic Security Labs diagram of UNC1069's Axios NPM supply chain attack payload flow

⚡ Key Takeaways

UNC1069 used a postinstall hook in plain-crypto-js for stealthy, cross-platform backdoor deployment via compromised Axios. 𝕏
WAVESHAPER.V2 evolves prior malware with JSON C2, more commands, tying directly to North Korean ops since 2018. 𝕏
Audit deps now: Pin Axios, block sfrclak.com, scan for traces — npm's trust model demands it. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#Axios npm attack #North Korea supply chain #WAVESHAPER backdoor #north korea hackers #supply chain compromise #unc1069

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

North Korea Poisons Axios NPM with RATs in Bold Supply Chain Hit

North Korean Hackers' Slick Slack Trick: Inside the Axios npm Compromise

Axios NPM Breach: North Korea's Precision Strike on JS Devs

Iran's April 1 Deadline Puts Apple, Google in Crosshairs

Stay in the loop