North Korean Hackers Compromise Axios npm Package in Supply Chain Attack

Google's Threat Intelligence Group formally attributed the Axios npm supply chain attack to UNC1069, a financially motivated North Korean threat activity cluster with a history of targeting cryptocurrency and software supply chains. The attackers gained control of the Axios package maintainer's npm account and published two malicious versions (1.14.1 and 0.30.4) that introduced a dependency called 'plain-crypto-js'. This dependency served as a loader for a cross-platform backdoor capable of executing on Windows, macOS, and Linux systems. Axios is one of the most popular JavaScript HTTP client libraries with hundreds of millions of weekly downloads, making the potential impact of this compromise extremely broad. The backdoor is designed to steal cryptocurrency assets and sensitive credentials. Organizations should audit their npm dependency trees for the affected Axios versions, check for the presence of 'plain-crypto-js' in their node_modules, and scan systems for indicators of compromise. Rotate any credentials or API keys that may have been exposed in affected environments. This incident underscores the critical importance of software supply chain security and dependency integrity verification.