Ravi Nayyar

'Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4 ... obfuscated dropper that deploys the WAVESHAPER.V2 backdoor ...

'GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities.

'... the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled account ([email protected])'.
https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package

North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | Google Cloud Blog

A North Korea-nexus threat actor targeted the popular axios NPM package in a massive supply chain attack.

Google Cloud Blog
Apr 5 at 12:21pmWeb
Show threadRavi Nayyar1d ago

'... Axios lead maintainer Jason Saayman explained that the hackers had infected his computer with a backdoor roughly two weeks before.

'After inviting Saayman to a Slack workspace, the hackers scheduled a meeting on Microsoft Teams. When joining the meeting, the maintainer received an error message and was instructed to install a fake update that infected his system with the RAT.

'UNC1069, the North Korean hacking group blamed for the Axios supply chain attack, is now using similar social engineering tactics in a campaign targeting multiple high-profile Node.js maintainers.

'The operation takes weeks to execute and is deliberately designed to feel unremarkable. Attackers build rapport over time, schedule calls in advance and reschedule them, and conduct themselves with the professionalism of a legitimate business contact'.
https://www.securityweek.com/north-korean-hackers-target-high-profile-node-js-maintainers/

North Korean Hackers Target High-Profile Node.js Maintainers

The North Korean threat actor behind the Axios supply chain attack has been targeting high-profile Node.js maintainers.

SecurityWeek