A supply chain compromise involving the widely used JavaScript package Axios is now being tied to a North Korea-linked threat actor, turning what already looked like a serious open-source incident into a much bigger security story. Google Threat Intelligence Group said the attack targeted the official Axios package on npm and attributed the activity to UNC1069, a financially motivated North Korea-nexus group that has reportedly been active since at least 2018.

That attribution matters because it changes how defenders should think about the incident. This is not just another case of malware slipping into an obscure dependency. Axios is one of the most widely used HTTP client libraries in the JavaScript ecosystem, and its reach across applications, build systems, and cloud-connected services makes this incident unusually consequential.

The basic facts are now relatively clear. According to Google’s reporting, an attacker introduced a malicious dependency called plain-crypto-js into axios versions 1.14.1 and 0.30.4 during a short exposure window on March 31, 2026. Those versions were later removed, but the problem is not only that bad code was briefly published. It is that a trusted package was altered in a way that could have delivered malware during normal installation.

What made the attack especially dangerous is that it appears to have abused the trust developers place in legitimate package distribution. Google said the maintainer account associated with Axios was likely compromised and that the email tied to it was changed to an attacker-controlled ProtonMail address. The malicious dependency then used an npm postinstall hook to silently execute an obfuscated dropper in the background during installation. In plain terms, teams did not need to open a suspicious file or fall for a phishing email. Installing a familiar package during the affected window could have been enough.

The malware itself also raises the stakes. Google said the malicious dependency deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Other researchers described the campaign as a cross-platform remote access trojan delivered through a malicious postinstall hook, with anti-forensic behavior that attempted to clean up traces after execution. That is an important distinction. This was not simply a bad package that broke builds. It appears to have been designed to establish deeper access.

That answers one of the first questions many readers will have: was this just a package integrity issue, or something closer to full system compromise? Based on what has been reported so far, affected installations should be treated much closer to the second category. If a CI/CD pipeline, developer workstation, or build server pulled the malicious versions during the exposure window, the concern is not only dependency hygiene. It is possible host compromise.

The post Google Says North Korea Was Behind the Axios npm Supply Chain Attack appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/google-says-north-korea-was-behind-the-axios-npm-supply-chain-attack/