North Korean Hackers Linked to Recent NPM Supply Chain Compromise
Axios Software Supply Chain Attack
The software supply chain attack that resulted in the compromise of npm packages of Axios, an extremely popular HTTP client library, is believed to be the work of financially motivated North Korean attackers.
Attack Details
- On March 31, 2026, unknown attackers gained unauthorized access to an Axios maintainer’s npm account.
- They published two backdoored versions of the library, introducing a hidden dependency containing a post-install script.
- The script executed automatically during installation and attempted to deploy malware capable of remote access and system compromise.
“The attackers’ primary goal was to gain unauthorized access to affected systems, potentially allowing them to steal sensitive data or move laterally within compromised environments.” — Researchers from Google Threat Intelligence Group (GTIG) and Mandiant
The stealth and sophistication of the attack pointed to skilled attackers who had developed custom malware to achieve their objectives.
Analysis of Backdoor and C2 Infrastructure
- Researchers identified the platform-specific payloads as variants of a backdoor tracked by GTIG as WAVESHAPER.V2.
- The backdoor was written in C++ and targeted macOS to collect system information, enumerate directories, or execute additional payloads.
- Additional variants of WAVESHAPER.V2 were written in PowerShell and Python to target Windows and Linux environments, respectively.
“Previous versions of the backdoor were used by a North Korea-nexus threat actor called UNC1069, which has been active since at least 2018 and is known for targeting organizations to steal cryptocurrency.” — Researchers from Google Threat Intelligence Group (GTIG) and Mandiant
Even though the exposure window was short, lasting less than three hours, the potential impact of this compromise is significant due to Axios’ widespread use as a library and its inclusion as a transitive dependency across millions of applications.
Risk Assessment and Remediation Advice
- Organizations that install npm packages in CI/CD pipelines may have automatically pulled the malicious versions into build environments during the brief window of exposure.
- Systems that did not directly install Axios could be indirectly impacted if another package in the environment depended on the compromised versions.
Defenders should pay close attention to these campaigns, and enterprises should initiate dedicated efforts to assess the existing impact, remediate compromised systems, and harden environments against future attacks.