North Korean UNC1069 Compromised Axios npm Package via Fake Teams Error — Billions of Downloads at Risk
Google Threat Intelligence Group attributes a March 31 supply chain attack on the axios npm package to UNC1069, a North Korea nexus actor. A malicious dependen…
Published on MyPrivateClaw
Apr 8, 2026, 9:25 AM UTC
Coverage date
Apr 6, 2026
Last updated
Apr 8, 2026, 9:25 AM UTC
News summary
The Most Downloaded JavaScript Library Becomes a Backdoor On March 31, 2026, between 00:21 and 03:20 UTC, attackers introduced a malicious dependency named plain crypto js into two releases of the axios npm package — versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript HTTP client library, with those two versions typically accumulating over 183 million combined weekly downloads. Google Threat Intelligence Group (GTIG) has attributed the attack to UNC1069, a financially motivated North Korea nexus threat actor active since at least 2018. The attribution is based on the use of WAVESHAPER.V2 — an updated version of the WAVESHAPER backdoor previously linked to UNC1069 — and infrastructure overlaps with past UNC1069 activity. How the Account Was Compromised The axios package maintainer account was compromised via social engineering. The attacker changed the associated email addre…