Millions of Developers Exposed as Attackers Poison Popular Code Repository
Suspected North Korean hackers have executed one of the most operationally sophisticated supply chain attacks in recent memory, compromising Axios, a JavaScript library downloaded approximately 100 million times weekly. The attack, which lasted roughly three hours in the early hours of March 31, injected malicious code into software used by thousands of companies across healthcare, finance, cryptocurrency exchanges, and technology sectors. Security researchers estimate the poisoned versions were downloaded by roughly three percent of the library’s user base, potentially exposing hundreds of thousands of systems to remote access trojans designed to steal cryptocurrency and enterprise credentials.
- Millions of Developers Exposed as Attackers Poison Popular Code Repository
- The Mechanics of a Supply Chain Compromise
- Cross-Platform Malware Delivers Persistent Backdoor
- Pyongyang’s Digital Revenue Machine
- A Cascade of Supply Chain Vulnerabilities
- Evasion Techniques and Forensic Countermeasures
- Securing the Software Supply Chain
- Key Points
Axios functions as a promise-based HTTP client that enables asynchronous API requests from both Node.js and browsers, making it a foundational component for modern web applications. Companies ranging from healthcare providers to financial institutions rely on the library to simplify website construction and data exchange. Some cryptocurrency firms and technology companies active in the digital asset industry also use the software, making them particularly valuable targets for Pyongyang’s revenue-generating cyber operations. The widespread adoption of Axios across enterprise environments means the compromise creates cascading risks for downstream dependencies and integrated services.
Google’s Threat Intelligence Group has formally attributed the incident to UNC1069, a financially motivated North Korean threat actor active since at least 2018. The group has built a reputation for targeting cryptocurrency exchanges, decentralized finance platforms, and venture capital firms to fund Pyongyang’s nuclear and missile programs. According to Mandiant, the intelligence firm owned by Google, this represents the latest escalation in North Korea’s campaign to weaponize the global software supply chain against high-value economic targets.
Charles Carmakal, Mandiant’s chief technology officer, explained the long-term nature of the threat.
We anticipate they will try to use the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises. It will likely take months to assess the downstream impact of this campaign.
John Hammond, a security researcher at Huntress, reported his firm has already identified approximately 135 compromised devices belonging to roughly 12 companies, though he expects this represents merely the initial wave of discoveries as organizations complete forensic audits.
The Mechanics of a Supply Chain Compromise
The attack began when hackers seized control of the npm account belonging to @jasonsaayman, the primary maintainer of the Axios library. Rather than exploiting sophisticated zero-day vulnerabilities, the threat actors used a long-lived access token to bypass modern security controls, including OpenID Connect based authentication workflows. This allowed them to publish two trojanized versions of the software, 1.14.1 and 0.30.4, directly to the Node Package Manager registry without triggering standard security alerts or requiring multi-factor authentication.
Hammond noted a critical configuration flaw that enabled the attack. Even on the v1.x branch where OIDC Trusted Publishing was configured, the publish workflow still passed NPM_TOKEN as an environment variable alongside OIDC credentials. When both are present, npm uses the token. This meant the long-lived token was effectively the authentication method for all publishers, regardless of OIDC configuration. This architectural oversight allowed the attackers to bypass protections even though the maintainer had enabled multi-factor authentication on his accounts, demonstrating how legacy authentication mechanisms can undermine modern security frameworks.
The attackers demonstrated careful preparation and patience. Eighteen hours before the main assault, they published a clean version of a phantom dependency called plain-crypto-js to establish publishing history and avoid suspicion as a zero-history account. Twenty minutes before the first malicious Axios release, they pushed the weaponized version of this dependency, which contained a post-installation script designed to execute automatically when developers installed or updated the compromised library. The second backdoored release followed just 39 minutes later, indicating the group had automated their deployment pipeline to maximize distribution within the narrow window of opportunity.
During the attack, the maintainers faced significant challenges regaining control. In a public GitHub issue, a collaborator stated they could not revoke access from the account responsible for the malicious publish, noting that the attacker’s permissions exceeded their own. This created a race against time as the hackers maintained publishing rights while the development community scrambled to contain the damage. NPM eventually unpublished the malicious versions three hours after their initial release and placed a security hold on the plain-crypto-js package, replacing it with a security-holder stub an hour later.
Cross-Platform Malware Delivers Persistent Backdoor
Once installed, the malicious dependency deployed an obfuscated JavaScript dropper dubbed SILKBELL, which fetched platform-specific payloads from a remote command-and-control server at sfrclak.com. For Windows systems, the malware delivered PowerShell-based tools capable of executing arbitrary commands. macOS users received a C++ Mach-O binary, while Linux installations were targeted with a Python backdoor. Security researchers identified this second stage malware as WAVESHAPER.V2, an evolution of a backdoor previously attributed to UNC1069 in cryptocurrency sector attacks dating back to 2023.
The technical architecture of the attack reveals deliberate stealth and platform awareness. Rather than modifying Axios source code directly, which would be visible in public repositories and trigger code review alerts, the hackers inserted their malicious functionality through a dependency chain. There are zero lines of malicious code inside axios itself, and that is exactly what makes this attack so dangerous, researchers at StepSecurity noted. The plain-crypto-js package executed via a postinstall hook in its package.json file, allowing the malware to run silently during the installation process before cleaning up its own artifacts and replacing the package metadata with a clean version.
WAVESHAPER.V2 operates by beaconing to its command-and-control infrastructure every 60 seconds, accepting dynamic C2 URLs via command-line arguments. This design allows the attackers to rotate infrastructure without redeploying malware. The backdoor supports four primary functions: terminating execution processes, enumerating directories with detailed file metadata including timestamps and sizes, running system commands through native scripting languages such as AppleScript on macOS or shell commands on Linux, and injecting arbitrary binaries into running processes. Analysis by Elastic Security Labs revealed that the macOS binary references developer build paths linking directly to BlueNoroff’s webT module from previous RustBucket and Hidden Risk malware campaigns, reinforcing the North Korean attribution.
Pyongyang’s Digital Revenue Machine
North Korea’s hacking operations have evolved into a primary funding mechanism for its sanctioned nuclear weapons program. According to United Nations reports and White House estimates released in 2023, roughly half of Pyongyang’s missile development funding comes from cyber theft, with hackers stealing billions of dollars from banks and cryptocurrency firms over recent years. Last year alone, North Korean operatives stole $1.5 billion in cryptocurrency in a single record-breaking heist, demonstrating their capability to compromise high-value targets at scale.
Ben Read, director of strategic threat intelligence at Wiz, explained that North Korea operates differently from other nation-state actors.
North Korea isn’t worried about its reputation or being eventually identified, so while these types of operations are very noisy and high profile, that’s a price they’re willing to pay.
This risk tolerance allows Pyongyang to conduct brazen supply chain attacks that other nations might avoid due to potential diplomatic fallout or attribution concerns. The Axios compromise follows a pattern established three years ago when North Korean operatives allegedly infiltrated 3CX, a software provider used by healthcare firms and hotel chains for voice and video calls.
John Hultquist, chief analyst at Google Threat Intelligence Group, emphasized the group’s specific focus on digital assets.
North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.
UNC1069 has previously targeted financial technology companies using fake Zoom meetings, social engineering tactics, and multiple unique malware families, demonstrating a persistent and evolving focus on the cryptocurrency ecosystem.
A Cascade of Supply Chain Vulnerabilities
The Axios incident arrives amid a disturbing surge in supply chain attacks targeting the open-source software ecosystem. Over the past month, security teams have responded to a domino effect of compromises including attacks on Trivy, a popular security scanning tool, LiteLLM, a widely used Python library for AI model integration, and Telnyx, a communications platform. While Google has confirmed the Axios attack is unrelated to the recent TeamPCP supply chain issues, each successful breach hands attackers fresh credentials and initial access to additional repositories, creating a self-perpetuating cycle of compromise.
Carmakal warned that the recent spree of attacks has generated a massive inventory of stolen secrets. The secrets stolen over the past two weeks will enable more software supply chain attacks, software-as-a-service environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months, he explained. We are aware of hundreds of thousands of stolen credentials. A variety of actors with varied motivations are behind these attacks. The blast radius of yesterday’s axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it.
Tom Hegel, a senior researcher at SentinelOne, emphasized the invisible nature of the threat.
Every time you load a website, check your bank balance, or open an app on your phone, there’s a good chance Axios is running somewhere in the background making that work. You don’t have to click anything or make a mistake. The software you already trust did it for you.
This observation underscores how supply chain attacks exploit the implicit trust users place in established software components, bypassing traditional security awareness training and endpoint protections.
Evasion Techniques and Forensic Countermeasures
The attackers implemented sophisticated anti-forensics measures that complicate incident response and detection. After execution, the malware not only deleted its own installation files but also manipulated version reporting to deceive defenders. The malicious plain-crypto-js package reported itself as version 4.2.0 rather than 4.2.1, creating confusion for security teams verifying package integrity. This version spoofing technique aimed to convince administrators that their systems were running legitimate software when in fact they had installed the compromised iteration.
Tomislav Pericin, chief software architect at ReversingLabs, described the attack as a template for future operations rather than an isolated incident.
The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation. If this campaign is now appearing in PyPI and NuGet, that’s consistent with what the attack mechanics already suggest: the goal was maximum developer reach.
Organizations must now audit not only npm dependencies but every package manager feeding their build pipelines. Hammond described the timing as particularly concerning given current development trends toward automation. He noted the hack was perfectly timed considering the rapid adoption of AI agents that generate software at organizations without any review or guardrails. The risk extends beyond direct Axios users to any organization whose development tools automatically resolve dependencies. Semgrep founder Isaac Evans pointed out that developers who pinned their versions, maintained lockfiles, and followed standard hygiene could still have been hit because their integrated development environment pulled the dependency behind the scenes.
Securing the Software Supply Chain
Security teams across industries are now scrambling to assess exposure and remediate compromised systems. Organizations using Axios must immediately audit their dependency trees for versions 1.14.1 and 0.30.4, downgrade to verified safe versions such as 1.14.0 or 0.30.3, and rotate all credentials accessible during the installation window. Technical indicators of compromise include the presence of plain-crypto-js in node_modules directories, network connections to sfrclak.com (IP address 142.11.206.73), and suspicious processes in temporary directories such as /Library/Caches/com.apple.act.mond on macOS systems.
Immediate mitigation steps include pinning Axios to known safe versions in package-lock.json files to prevent accidental upgrades, checking for the presence of the malicious dependency, terminating any identified malicious processes, blocking the identified command-and-control domain at network perimeters, isolating affected systems from production networks, and rotating all secrets and credentials that may have been exposed during the compromise window. Organizations should also review access logs for unauthorized use of API keys or service accounts that may have been harvested by the malware.
Ilkka Turunen, field CTO at Sonatype, emphasized the fundamental trust issues exposed by this incident. This attack shows that hackers are now exploiting the trust people place in code rather than in the code itself, he explained. The malicious capability was introduced through a staged dependency and designed to erase its own tracks, which made the attack harder to spot and slower to understand. That is not just malware, it shows a more deliberate and mature playbook. Mike Puglia, a security leader at Kaseya, noted that the incidents provide further evidence of the fragility of the world’s software ecosystem, where compromising a single account can expose tens of thousands of organizations within hours.
Key Points
- North Korean threat group UNC1069 compromised the Axios JavaScript library, which receives 100 million weekly downloads and exists in approximately 80% of cloud environments
- Malicious versions 1.14.1 and 0.30.4 were available for approximately three hours on March 31, downloaded by roughly 3% of the user base representing potentially 600,000 downloads
- The attack used a phantom dependency called plain-crypto-js to deploy WAVESHAPER.V2, a cross platform backdoor capable of infecting Windows, macOS, and Linux systems
- Google Mandiant expects the group to use stolen credentials for long-term cryptocurrency theft operations to fund North Korea’s nuclear and missile programs
- The malware featured advanced anti-forensics capabilities, including self-deletion and version spoofing to report itself as 4.2.0 instead of 4.2.1 to evade detection
- Organizations must audit dependency trees, rotate all credentials, block C2 domain sfrclak.com and IP 142.11.206.73, and downgrade to safe Axios versions immediately
- The compromise occurred through a long-lived access token that bypassed OIDC authentication controls, highlighting the need for legacy credential cleanup
