North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

Pulse ID: 69cd1d9aae74cc11b50ba18e
Pulse Link: https://otx.alienvault.com/pulse/69cd1d9aae74cc11b50ba18e
Pulse Author: AlienVault
Created: 2026-04-01 13:28:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Google #HTTP #InfoSec #Java #JavaScript #Korea #Linux #Mac #MacOS #NPM #NorthKorea #OTX #OpenThreatExchange #SupplyChain #Windows #bot #iOS #AlienVault