Full Report
Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean
Analysis Summary
# Threat Actor: UNC1069
## Attribution & Identity
* **Actor Name:** UNC1069
* **Attribution:** North Korea (suspected financially motivated threat activity cluster).
* **Known Associations:** Formally attributed by Google Threat Intelligence Group (GTIG) and Mandiant; activity overlaps first identified by Elastic Security Labs.
* **Operational History:** Active since at least 2018.
## Activity Summary
In early 2026, UNC1069 executed a high-sophistication supply chain attack targeting the popular npm package **Axios**. The actor compromised the package maintainer's npm account to release trojanized versions (1.14.1 and 0.30.4). This campaign utilized a malicious dependency to deliver cross-platform backdoors to developers and systems utilizing the compromised library.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Account takeover of package maintainers to inject malicious code into trusted libraries.
* **Dependency Confusion/Injection:** Introduction of a malicious dependency named `plain-crypto-js`.
* **Persistence via Postinstall Hooks:** Leverages the `postinstall` hook in `package.json` to execute malicious code automatically upon installation.
* **Cross-Platform Targeting:** Deployment of OS-specific payloads (Windows, macOS, Linux).
* **Evasion & Cleanup:** Droppers automatically remove themselves and replace the malicious `package.json` with a clean version after infection to evade detection.
* **Obfuscation:** Use of obfuscated JavaScript (SILKBELL) for initial staging.
* **Command and Control (C2):** Use of JSON-based communication with 60-second beacon intervals and uncommon User-Agent strings.
* **Dynamic C2 Configuration:** Backdoors accept C2 URLs via command-line arguments.
## Targeting
* **Sectors:** Cryptocurrency (historical focus), Software Development, and broad technology sectors via supply chain.
* **Geography:** Global (due to the widespread use of the Axios npm package).
* **Victims:** Users of the Axios npm library (versions 1.14.1 and 0.30.4).
## Tools & Infrastructure
* **SILKBELL (setup.js):** An obfuscated JavaScript dropper.
* **WAVESHAPER / WAVESHAPER.V2:** A C++ cross-platform backdoor. V2 supports commands: `kill`, `rundir` (enumeration), `runscript` (AppleScript/PowerShell/Shell execution), and `peinject` (binary execution).
* **Platform-Specific Payloads:**
* Windows: PowerShell-based malware.
* macOS: C++ Mach-O binary.
* Linux: Python-based backdoor.
* **Infrastructure:**
* **C2 Domain:** sfrclak[.]com
* **IP Address:** 142.11.206[.]73
* **Temporary Directories:** `/Library/Caches/com.apple.act.mond` (macOS).
## Implications
UNC1069 demonstrates high operational sophistication by targeting the foundational tools of modern software development. This attack serves as a "template" for future North Korean operations, signaling a shift from direct cryptocurrency exchange heists to broader supply chain compromises. The ability to hit multiple release branches within 40 minutes of access indicates a highly automated and pre-staged kill chain.
## Mitigations
* **Dependency Auditing:** Inspect `node_modules` for the presence of `plain-crypto-js`.
* **Version Pinning:** Use `package-lock.json` to pin Axios to a known safe version (pre-compromise) and avoid accidental upgrades.
* **Process Monitoring:** Monitor for and terminate suspicious background processes triggered by npm installs.
* **Network Security:** Block the known C2 domain `sfrclak[.]com` and IP `142.11.206[.]73`.
* **Credential Hygiene:** Rotate all environment secrets and credentials if a system is found to have installed the compromised versions.
* **Isolation:** Isolate affected developer workstations and build servers for forensic analysis.