Google has attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean cluster tracked as UNC1069. The attackers pushed trojanized Axios releases that installed a malicious dependency “plain-crypto-js” which deployed the SILKBELL dropper and the cross-platform WAVESHAPER.V2 backdoor. #UNC1069 #WAVESHAPERV2
Keypoints
- Google’s Threat Intelligence Group attributes the Axios npm supply chain compromise to UNC1069.
- Attackers seized a maintainer account and released trojanized Axios versions 1.14.1 and 0.30.4 that introduced the “plain-crypto-js” dependency.
- “plain-crypto-js” uses a package.json postinstall hook to run the SILKBELL dropper, which fetches OS-specific payloads for Windows, macOS, and Linux.
- The WAVESHAPER.V2 backdoor supports kill, rundir, runscript, and peinject commands and beacons to a C2 every 60 seconds.
- Recommended mitigations include auditing dependencies, pinning Axios to safe versions, checking for “plain-crypto-js”, blocking the C2 domain/IP, isolating affected systems, and rotating credentials.
Read More: https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html