North Korea Hack Targets Axios JavaScript Library in Supply Chain Attack

Severity: High (Score: 77.0)

Sources: Ca.Finance.Yahoo, Nextgov, Afr, Mandiant

Summary

On March 31, 2026, Google Threat Intelligence Group reported a supply chain attack on the Axios JavaScript library, which is widely used for HTTP requests. The attackers, identified as UNC1069, a North Korean threat actor, introduced a malicious dependency named 'plain-crypto-js' into Axios versions 1.14.1 and 0.30.4. This dependency, which was downloaded millions of times, contained an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems. The attack was detected and halted by StepSecurity within hours of deployment. The malware executed silently during installation, allowing remote access to infected systems and potential data theft. The incident highlights the sophistication of supply chain attacks, especially given the popularity of the compromised package. The full impact of the breach is still being assessed, but it poses significant risks to developers and organizations relying on Axios. Key Points: • North Korean hackers compromised the Axios library, affecting millions of downloads. • The attack involved a malicious dependency that deployed a backdoor across multiple platforms. • The incident underscores the risks associated with supply chain attacks on widely-used open-source software.

Key Entities

• UNC1069 (apt_group)
• Malware (attack_type)
• Supply Chain Attack (attack_type)
• Trojan (attack_type)
• Axios (platform)
• Linux (platform)
• MacOS (platform)
• Windows (platform)
• Department of Defense (company)
• North Korea (country)
• Russia (country)
• packages.npm.org (domain)
• proton.me (domain)
• Financial (industry)
• Government (industry)
• 142.11.206.73 (ipv4)
• T1071 - Application Layer Protocol (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 (sha256)