Axios Supply Chain: North Korean UNC1069 Crypto Heist

North Korean threat actors tied to the UNC1069 cluster compromised the widely used Axios JavaScript HTTP library in a supply chain attack that hit 135 devices across 12 US organizations, according to investigators. The campaign leveraged a hijacked maintainer account to push backdoored updates to a package downloaded over 183 million times per week, with proceeds funneled toward cryptocurrency theft operations that fund Pyongyang's nuclear and missile programs.

What Happened

Attackers linked to North Korea gained control of a software engineer's account tied to the Axios open-source project for at least three hours on a Tuesday. During that window, they published infected updates to two versions of the library, silently distributing backdoors to any downstream consumer that pulled the package during the exposure period. The compromised maintainer scrambled to regain control while security teams across the US raced to assess blast radius. Investigators have so far confirmed 135 compromised devices across 12 organizations, but the victim count is expected to grow significantly as telemetry is correlated.

What Was Taken

Early impact assessments suggest hundreds of thousands of business secrets have already leaked out of victim environments, positioning this incident among the most damaging supply chain breaches to date. The attackers deployed malware that opens backdoor access to the host operating system, granting persistent entry for credential theft, lateral movement, and environment enumeration. Mandiant assesses that UNC1069 will weaponize the harvested credentials and system access to pivot into enterprise cryptocurrency holdings, extending a pattern that netted the group a record-setting $1.5 billion crypto theft in 2025.

Why It Matters

Axios sits deep in the JavaScript dependency graph for thousands of production applications, meaning a single poisoned release propagates automatically across build pipelines, CI/CD systems, and production runtimes. A three-hour window of maintainer compromise was sufficient to infect a dozen confirmed enterprises, and the real count will expand as organizations audit their package lockfiles against the compromised version range. Supply chain attacks on high-traffic npm packages remain one of the highest-leverage vectors available to state-sponsored actors, and UNC1069's willingness to burn access loudly signals that detection evasion is no longer a primary constraint for DPRK crews.

The Attack Technique

Initial access was achieved via takeover of a core Axios maintainer account, likely through credential theft or session hijacking consistent with UNC1069 tradecraft documented since 2018. The attackers published malicious versions of two Axios releases that delivered OS-level backdoors to any environment installing or updating the package during the exposure window. Post-install, the payload cleaned installation artifacts to frustrate forensic analysis, and the actors prioritized rapid exfiltration over long-term stealth, vanishing before defenders could lock in detection signatures. The operation fits the broader UNC1069 playbook of financially motivated intrusions targeting finance and cryptocurrency verticals.

What Organizations Should Do

Audit package lockfiles and CI build logs for any Axios installs or updates during the known compromise window, and quarantine affected build artifacts.
Pin Axios to a known-good version predating the incident and enforce integrity verification via npm audit signatures or Sigstore attestations.
Rotate all credentials, API keys, and cloud tokens accessible from developer workstations or CI runners that pulled the compromised package.
Hunt for backdoor indicators including unexpected outbound connections, new scheduled tasks or services, and anomalous process trees spawned from Node.js runtimes.
Review hot wallet access, signing infrastructure, and exchange API keys for any sign of unauthorized use, and enforce hardware-backed approval for crypto transactions.
Enable dependency pinning, automated SBOM generation, and maintainer-account MFA enforcement policies across internal package consumption workflows.

Sources: North Korean Hackers Target Axios, Steal Cryptocurrency in a Massive Attack - IT Security News