Close Menu
    What's Hot

    The great AI layoff is turning into the great AI rehire

    Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines

    How the failed 2016 coup reshaped Turkiye’s civil-military relations | Turkey Attempted Coup News

    Facebook X (Twitter) Instagram
    Trending
    • The great AI layoff is turning into the great AI rehire
    • Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines
    • How the failed 2016 coup reshaped Turkiye’s civil-military relations | Turkey Attempted Coup News
    • Wayfair Coupons: Up to 80% Off July 2026
    • Today on Sky Sports Racing: Bath, Lingfield, Yarmouth and Uttoxeter | Racing News
    • OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
    • Years After He Quit Smoking, a Lung Cancer Scan Saved His Life
    • South China Sea Nine-Dash Line Ruling, 10 Years On
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

    adminBy adminApril 1, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananApr 01, 2026Threat Intelligence / Software Security

    Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

    Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069.

    “We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement.

    “North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”

    The development comes after threat actors seized control of the package maintainer’s npm account to push two trojanized versions 1.14.1 and 0.30.4 that introduced a malicious dependency named “plain-crypto-js” that’s used to deliver a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.

    Cybersecurity

    Rather than introducing any code changes to Axios, the attack leverages a postinstall hook within the “package.json” file of the malicious dependency to achieve stealthy execution. Once the compromised Axios package is installed, npm automatically triggers the execution of malicious code in the background.

    Specifically, the “plain-crypto-js” package functions as a “payload delivery vehicle” for an obfuscated JavaScript dropper dubbed SILKBELL (“setup.js”), which fetches the appropriate next-stage from a remote server based on the victim’s operating system.

    As previously detailed by The Hacker News, the Windows execution branch delivers PowerShell malware, a C++ Mach-O binary for macOS, and a Python backdoor for Linux systems. The dropper also performs a cleanup to remove itself and replace the “plain-crypto-js” package’s “package.json” file with a clean version that does not have the postinstall hook.

    Image Source: Elastic Security Labs

    The backdoor, codenamed WAVESHAPER.V2, is assessed to be an updated version of WAVESHAPER, a C++ backdoor deployed by UNC1069 in attacks aimed at the cryptocurrency sector. The threat actor has been operational since 2018. The supply chain attack’s links to UNC1069 were first flagged by Elastic Security Labs, citing functionality overlaps.

    The three WAVESHAPER.V2 variants support four different commands, while beaconing to the command-and-control (C2) server at 60-second intervals –

    • kill, to terminate the malware’s execution process.
    • rundir, to enumerate directory listings, along with file paths, sizes, and creation/modification timestamps.
    • runscript, to run AppleScript, PowerShell, or shell commands based on the operating system.
    • peinject, to decode and execute arbitrary binaries.

    “WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to UNC1069,” Mandiant and GTIG said. “While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands.”

    Cybersecurity

    “Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories (e.g., /Library/Caches/com.apple.act.mond).” 

    To mitigate the threat, users are advised to audit dependency trees for compromised versions (and downgrade to a safe version, if found), pin Axios to a known safe version in the “package-lock.json” file to prevent accidental upgrades, check for presence of “plain-crypto-js” in “node_modules,” terminate malicious processes, block C2 domain (“sfrclak[.]com,” IP address: 142.11.206[.]73), isolate affected systems, and rotate all credentials.

    “The Axios attack should be understood as a template, not a one-time event. The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation,” ReversingLabs Chief Software Architect Tomislav Peričin told The Hacker News.

    “If this campaign is now appearing in PyPI and NuGet, that’s consistent with what the attack mechanics already suggest: the goal was maximum developer reach. Organizations need to audit not just their npm dependencies, but every package manager feeding their build pipelines, and treat any secrets exposed in affected environments as compromised, regardless of which registry they touched.”

    attack Attributes Axios Chain Google Group Korean North npm Supply UNC1069
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleSouth Africa’s future: Three economic scenarios explored
    Next Article The Best Mushroom Coffee, WIRED Tested and Reviewed (2026)
    admin
    • Website

    Related Posts

    OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

    July 15, 2026

    How Pentera Turns AI Security Workflows into Validation Engines

    July 15, 2026

    Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    The great AI layoff is turning into the great AI rehire

    Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines

    How the failed 2016 coup reshaped Turkiye’s civil-military relations | Turkey Attempted Coup News

    Wayfair Coupons: Up to 80% Off July 2026

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by