Axios NPM Attack Attributed to North Korean Hackers

In a significant escalation of software supply chain threats, the popular Axios npm package was weaponized by North Korean hackers in early April 2026. Google Threat Intelligence Group has formally attributed this attack to a group it tracks as UNC1069, which has deep experience targeting cryptocurrency.

Threat actors seized a maintainer’s account to push trojanized versions containing a malicious dependency. This rogue package leveraged a postinstall script to achieve stealthy, automatic execution upon installation.

Consequently, it delivered a dropper that fetched a next-stage backdoor tailored to the victim’s operating system. The final payload, WAVESHAPER.V2, is an updated version of a backdoor previously used by the same actor.

This backdoor supports commands to run scripts, enumerate files, and execute arbitrary binaries. It beacons to a command-and-control server every 60 seconds, establishing persistent access.

Security researchers advise mitigation by auditing dependency trees and checking for “plain-crypto-js.” Furthermore, they recommend isolating compromised systems and rotating all exposed credentials immediately.

Meanwhile, experts warn this attack serves as a template for future operations. “The level of operational sophistication… reflects a threat actor that planned this as a scalable operation,” said ReversingLabs Chief Software Architect Tomislav Peričin.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Analyst Warns XRP Could Plummet to $0.87 Amid Market Weakness
• Trump: U.S. To End Iran War Within Weeks
• Google Mandates Developer Verification to Curb Malicious Apps
• Micron stock sinks 30% despite AI demand boom
• Bitcoin Surges on Reports Iran Ready to End War