Full Report
Google Threat Intelligence Group (GTIG) joined several other researchers in attributing the attack to a North Korean threat actor they call UNC1069. SentinelOne found the same group using macOS-based malware in attacks dating back to 2023.
Analysis Summary
# Threat Actor: UNC1069
## Attribution & Identity
- **Actor Identification:** UNC1069 (Google Threat Intelligence Group nomenclature).
- **Aliases:** Associated with the broader umbrella of North Korean state-sponsored threat actors (DPRK).
- **Known Associations:** Linked to activity patterns previously identified by SentinelOne involving macOS-based malware and the "BlueNoroff" threat group.
- **Affiliation:** Nation-state (North Korea).
## Activity Summary
- **Axios Supply Chain Attack (March 2026):** Compromised the lead maintainer’s npm account to publish two malicious versions of the *axios* HTTP client library (over 100 million weekly downloads).
- **Fake Zoom Campaign:** Deployed malware via multiple scams, including fraudulent "Zoom" meeting invites targeting cryptocurrency executives.
- **Historical Activity:** SentinelOne traced macOS-based malware campaigns (e.g., RustBucket) back to this actor group in 2023.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Hijacking legitimate developer/maintainer accounts on package managers (npm) to distribute malicious code via trusted updates.
- **Multi-Stage Payloads:** Deployment of initial loaders that pull down complex secondary payloads.
- **Self-Deletion/Evasion:** Malware replaces itself with a clean version of the software library after execution to evade disk forensics.
- **Social Engineering:** Using "ClickFix" lures and fake meeting software (Zoom) to deceive high-value targets.
- **Dependency Confusion/Injection:** Injecting new malicious dependencies into legal software packages so the core code of the target library (axios) remains seemingly "clean."
## Targeting
- **Sectors:** Cryptocurrency, Financial Services, Software Development (Open Source), Enterprise Technology.
- **Geography:** Global (due to the nature of the axios library), with specific focus on cryptocurrency entities.
- **Victims:**
- Lead maintainer of the *axios* npm package.
- Cryptocurrency executives and firms.
- Potential downstream impact on any front-end or back-end system using compromised versions of axios.
## Tools & Infrastructure
- **Malware:**
- **WAVESHAPER:** A backdoor used in the axios attack and fake Zoom campaigns.
- **RustBucket:** macOS-specific malware identified in 2023.
- **Remote Access Trojan (RAT):** Capable of executing arbitrary commands, data exfiltration, and maintaining persistence.
- **Infrastructure:**
- Malicious npm versions (axios).
- Fake meeting software domains (Zoom scams).
- [Note: Specific defanged C2 IPs/URLs were not provided in the source text; researchers refer to the npm registry as the primary distribution point for this incident.]
## Implications
UNC1069 represents a highly sophisticated state-sponsored threat that has successfully moved from targeting specific targets (spear-phishing) to mass-scale supply chain operations. By hijacking a "top-10" npm package, they have gained a potential foothold in millions of enterprise environments. Their shift toward macOS-based malware suggests a strategic focus on targeting developers and executives who traditionally utilize non-Windows systems in the tech and crypto industries.
## Mitigations
- **Package Pinning:** Use specific versions of dependencies (lockfiles) and audit them before upgrading.
- **Integrity Checking:** Implement automated tools (e.g., Socket, StepSecurity) to scan for "dependency confusion" or suspicious new dependencies in trusted libraries.
- **MFA Enforcement:** Mandatory Multi-Factor Authentication (MFA) for all maintainers of critical open-source repositories.
- **Endpoint Detection:** Deploy EDR solutions capable of monitoring for unauthorized process execution stemming from Node.js or system-level processes, particularly those that exhibit "self-deleting" behavior.
- **Vulnerability Management:** Monitor for security advisories related to npm packages and immediately revert to known-clean versions (e.g., versions prior to the March 2026 compromise).