North Korean Hackers Backdoored Axios npm Package in 40 Minutes

North Korean threat actors compromised the widely-used Axios npm package in a supply chain attack that deployed backdoors across all major operating systems in under 40 minutes. Google's Threat Intelligence Group (GTIG) attributed the campaign to UNC1069, a financially motivated cluster operational since at least 2018.

The attack represents a significant escalation in North Korea's software supply chain targeting. Axios is one of the most popular JavaScript HTTP client libraries, with over 100 million weekly downloads. Any organization that updated to the malicious versions between March 31, 2026, 00:21 and 03:20 UTC may be compromised.

Attack Timeline and Method

The attackers compromised maintainer credentials—how exactly remains undisclosed—and pushed two trojanized releases: versions 1.14.1 and 0.30.4. Both versions introduced a malicious dependency called plain-crypto-js that delivered the payload during installation.

The dropper component, dubbed SILKBELL by researchers, executes via npm's postinstall hook mechanism. It fingerprints the target system and fetches platform-specific payloads:

• Windows: PowerShell-based malware variant
• macOS: C++ Mach-O binary
• Linux: Python backdoor variant

All three deliver WAVESHAPER.V2, an evolved version of a backdoor previously linked to North Korean operations. SILKBELL then performs cleanup operations to hide evidence of the initial infection.

WAVESHAPER.V2 Capabilities

The backdoor provides persistent access with four primary commands:

Command	Function
kill	Terminate malware execution
rundir	Enumerate directories and file metadata
runscript	Execute platform-specific commands (AppleScript, PowerShell, or shell)
peinject	Decode and execute arbitrary binaries

The peinject command is particularly concerning—it allows attackers to deploy additional payloads without touching disk, making detection harder. The runscript functionality means operators can adapt their attacks to each target's environment using native scripting languages.

UNC1069's Evolving Tactics

This attack builds on UNC1069's established pattern of targeting cryptocurrency and Web3 organizations. The group previously gained attention for using AI-generated video content in social engineering campaigns, impersonating executives and venture capitalists to trick targets into joining malicious video calls.

Their recent campaigns have abused fake Zoom, Google Meet, and Microsoft Teams meetings to compromise cryptocurrency professionals. Victims are guided to run terminal commands that download NukeSped RAT backdoors disguised as meeting software components.

The shift to supply chain compromise suggests UNC1069 is diversifying beyond social engineering. Rather than targeting individuals one at a time, they can now compromise entire organizations through a single poisoned dependency. This mirrors tactics we've seen from Lazarus Group's npm and PyPI attacks earlier this year.

Determining If You're Affected

Organizations should immediately audit their package dependencies. The malicious versions to check for:

• axios version 1.14.1
• axios version 0.30.4
• Any installation of plain-crypto-js

Google collaborated with Microsoft, GitHub, npm, and Socket to contain the incident. The malicious packages have been removed from npm, and Axios versions have been updated.

Beyond version checking, look for:

• Network connections to sfrclak.com or 142.11.206.73
• Unexpected postinstall script execution in npm logs
• Presence of WAVESHAPER.V2 indicators (file hashes available in the Google GTIG advisory)

Detection Script Available

A community-developed detection script checks for IOC file hashes, the malicious plain-crypto-js package, compromised Axios versions, active C2 connections, npm cache artifacts, suspicious processes, and postinstall hooks. It's designed for Linux/Ubuntu systems but can be adapted for other platforms.

Recommended Actions

1. Audit dependencies immediately - Check for compromised Axios versions in all projects
2. Review npm cache - Clear and rebuild if malicious versions were ever installed
3. Scan for IOCs - Check for WAVESHAPER.V2 file hashes and C2 connections
4. Enable lockfiles - Use package-lock.json to prevent automatic updates to malicious versions
5. Implement SCA - Software composition analysis tools can detect supply chain compromises

The Bigger Picture

North Korea has made software supply chain attacks a core capability. The regime needs foreign currency, cryptocurrency provides it, and developer tools offer scalable access to crypto organizations. The OmniStealer campaign we covered earlier compromised 300,000 credentials through similar package-based distribution.

For context on why North Korea prioritizes cryptocurrency theft so aggressively, our recommended reading on nation-state cyber operations provides essential background on how the regime funds its weapons programs through cyber theft.

The Axios attack demonstrates that even well-maintained, popular packages can be compromised. Organizations need to treat their software supply chain as an attack surface, not just a developer convenience.