Cyber Security News

Axios NPM Package Breached in North Korean Supply Chain Attack

CybersecurityNews
Axios NPM Package Breached in North Korean Supply Chain Attack
A supply chain attack on the popular Axios NPM package published two backdoored releases that executed cross-platform payloads via a staged dependency and were downloaded by roughly 3% of users before removal. Security researchers attribute the operation to North Korean threat actor UNC1069, which used compromised maintainer credentials and long-lived NPM tokens to bypass protections and deliver self‑erasing RAT droppers. #Axios #UNC1069

Keypoints

  • Two malicious Axios releases (1.14.1 and 0.30.4) were published on March 31, 2026 and removed about three hours later.
  • A staged dependency, plain-crypto-js, executed a post-install script that dropped a cross-platform remote access trojan (RAT).
  • Attackers compromised the maintainer @jasonsaayman’s NPM account and used a long-lived token to publish packages, bypassing OIDC protections.
  • Researchers link the incident to North Korean group UNC1069 and note overlaps with the WaveShaper macOS binary.
  • Impacted users should treat affected environments as compromised, audit dependencies, rotate credentials, and hunt for OS-specific malware artifacts.

Read More: https://www.securityweek.com/axios-npm-package-breached-in-north-korean-supply-chain-attack/