Back

North Korean Hackers Compromise Axios NPM Package in Major Supply Chain Attack

Severity: High (Score: 77.0)

Sources: Nextgov, Straitstimes, Afr, Cnn, Mandiant

Summary

On March 31, 2026, North Korean hackers linked to the Lazarus Group exploited the popular Axios NPM package by introducing a malicious dependency named 'plain-crypto-js' into versions 1.14.1 and 0.30.4. This supply chain attack allowed the attackers to deploy the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems, potentially affecting millions of users. The attack was attributed to UNC1069, a financially motivated group active since 2018, based on the use of previously identified malware and overlapping infrastructure. The compromised maintainer account was changed to an attacker-controlled email, enabling silent execution of the malicious code through a postinstall hook in the package.json file. The dropper executed platform-specific payloads, allowing unauthorized access to sensitive data and credentials. The full impact of the attack is still being assessed, with initial reports indicating at least 135 compromised devices across various sectors. Google and other cybersecurity firms are actively investigating the incident and providing guidance for remediation. Key Points: • North Korean hackers compromised the Axios NPM package, affecting millions of users. • The attack utilized a malicious dependency to deploy a backdoor across multiple operating systems. • Initial assessments indicate significant potential for data theft and further cyber operations.

Key Entities

  • Lazarus Group (apt_group)
  • UNC1069 (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • Axios (platform)
  • Linux (platform)
  • MacOS (platform)
  • Windows (platform)
  • Department of Defense (company)
  • North Korea (country)
  • Russia (country)
  • packages.npm.org (domain)
  • proton.me (domain)
  • Financial (industry)
  • Government (industry)
  • Healthcare (industry)
  • 142.11.206.73 (ipv4)
  • Silkbell (malware)
  • Waveshaper (malware)
  • Waveshaper.v2 (malware)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.006 - Python (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • Npm (tool)
  • PowerShell (tool)
  • Python (tool)
  • e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed