Google Threat Intelligence Group said a supply chain attack, a software distribution compromise, on the widely used JavaScript library Axios was attributed to UNC1069, a financially motivated North Korea-linked threat actor.
Axios is a widely used JavaScript library for connecting applications to web services, so a compromise in its package supply chain can reach developer endpoints and software build systems, not just a single app at runtime.
In a post detailing the intrusion, Google said an attacker inserted a malicious dependency, plain-crypto-js, into Axios versions 1.14.1 and 0.30.4 between 00:21 and 03:20 UTC on March 31.
Google said the two compromised release tracks typically see more than 100 million and 83 million weekly downloads, respectively, underscoring the attack’s potential reach across developer and build environments.
How the attack was planted and what it did on install
That dependency was added after the maintainer account associated with Axios was compromised and its email address was changed to an attacker-controlled Proton address, Google said.
The added dependency used npm’s postinstall hook, an install-time script trigger, so that once the affected Axios package was installed, an obfuscated JavaScript dropper, or malware delivery script, named setup.js would run automatically.
Google said the install script checked the host operating system, fetched a tailored second-stage backdoor for Windows, macOS or Linux, and then attempted to delete itself and restore the altered package metadata to reduce forensic traces.
The payloads and what Google used to attribute the campaign
Google said the payloads were variants of WAVESHAPER.V2, a backdoor family it links to earlier UNC1069 activity. The malware checks in with attacker-controlled infrastructure and supports file listing, remote code execution and command-based shutdown, Google said.
Google attributed the campaign to UNC1069 based on malware lineage and infrastructure overlaps, including command-and-control infrastructure tied to prior UNC1069 activity.
UNC1069’s prior activity and the wider open-source campaign
In a February report on a separate intrusion, Mandiant said UNC1069 had been targeting cryptocurrency startups, software developers and venture capital firms, and described the actor as active since at least 2018.
In the Axios case, Google said its YARA rules, malware detection rules used by defenders, would be most useful on developer workstations, CI and build systems, and other suspected impacted hosts, indicating that the immediate exposure is not limited to applications using Axios at runtime but extends to the systems that build and ship them.
Google also placed the Axios incident inside a broader run of open-source supply chain attacks.
In the same post, it said UNC6780, also known as TeamPCP, had recently poisoned GitHub Actions and PyPI packages associated with Trivy, Checkmarx and LiteLLM to deploy the SANDCLOCK credential stealer.
Google warned that hundreds of thousands of stolen secrets could already be circulating from these recent campaigns, creating scope for downstream SaaS compromise, extortion, ransomware and further software supply chain abuse.
What enterprises should do and what remains unclear
The practical problem for enterprises is that the distribution surface is clear, but the realized blast radius is not. The malicious versions were removed, but the full downstream impact was still unclear at the time of writing.
Even so, Google urged organizations to audit dependency trees and lockfiles for plain-crypto-js, isolate affected hosts, rotate exposed credentials, block sfrclak[.]com and 142.11.206.73, and serve only known-good Axios versions such as 1.14.0 or earlier and 0.30.3 or earlier from corporate-managed registries.