- The compromised Axios npm package, a core tool for millions of developers, delivered a cross-platform backdoor to Windows, macOS, and Linux systems.
- Google Threat Intelligence Group has formally attributed the supply chain attack to the financially motivated North Korean threat actor UNC1069.
- The malicious code used a stealthy post-install hook to deliver the WAVESHAPER.V2 backdoor, an evolution of prior malware used to target the cryptocurrency sector.
- Users are urged to audit dependencies, check for the “plain-crypto-js” package, and isolate affected systems immediately.
In a significant escalation of software supply chain threats, the popular Axios npm package was weaponized by North Korean hackers in early April 2026. Google Threat Intelligence Group has formally attributed this attack to a group it tracks as UNC1069, which has deep experience targeting cryptocurrency.
Threat actors seized a maintainer’s account to push trojanized versions containing a malicious dependency. This rogue package leveraged a postinstall script to achieve stealthy, automatic execution upon installation.
Consequently, it delivered a dropper that fetched a next-stage backdoor tailored to the victim’s operating system. The final payload, WAVESHAPER.V2, is an updated version of a backdoor previously used by the same actor.
This backdoor supports commands to run scripts, enumerate files, and execute arbitrary binaries. It beacons to a command-and-control server every 60 seconds, establishing persistent access.
Security researchers advise mitigation by auditing dependency trees and checking for “plain-crypto-js.” Furthermore, they recommend isolating compromised systems and rotating all exposed credentials immediately.
Meanwhile, experts warn this attack serves as a template for future operations. “The level of operational sophistication… reflects a threat actor that planned this as a scalable operation,” said ReversingLabs Chief Software Architect Tomislav Peričin.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
