North Korean UNC1069 Hijacks Axios: How a Supply‑Chain Attack Targets Developers

1. Incident Overview

1.1 Attack Details

On 31 March 2026, the open‑source library Axios—used for over 100 million weekly downloads—was compromised through a supply‑chain attack. The attackers gained control of the maintainer's npm account, published a malicious version, and remained undetected for about 2 hours 53 minutes.

Target: Axios, the widely‑used JavaScript HTTP client.

Downloads: >100 million per week, millions of developers.

Duration: 22:00 UTC 31 Mar to 00:53 UTC 1 Apr.

Platforms: Windows, macOS, Linux.

1.2 Attack Chain

Initial breach: The threat actor obtained credentials for the primary npm maintainer.

Persistence: The attacker changed the account‑linked email to prevent recovery.

Payload delivery: Malicious code was inserted directly into Axios's core HTTP request handling logic.

Version push: A “legitimate update” was published, overwriting the library on all three platforms.

Cleanup: The backdoor was designed to self‑delete after execution to evade detection.

2. Technical Analysis

2.1 Attack Techniques

Backdoor location: Embedded in Axios's core request processing, triggering the payload whenever the library is used.

Payload type: A Remote Access Trojan (RAT) capable of full control over the victim's development machine.

Evasion method: The malicious module includes an automatic self‑deletion mechanism, making static scanning difficult.

2.2 Why Supply‑Chain Attacks Are Dangerous

Compromising a single open‑source project instantly compromises every downstream application that depends on it. An infected developer machine can expose source code, secrets, and CI/CD pipelines, potentially affecting tens of thousands to millions of targets. Defenders struggle because developers trust the npm registry, automated builds pull the latest version automatically, and security tools cannot cover the entire dependency graph.

3. Attribution

3.1 Google Confirmation

"We attribute this attack to the North Korean threat group UNC1069, which has a history of using supply‑chain attacks to steal cryptocurrency. Given the popularity of the compromised package, we expect a far‑reaching impact."

3.2 Likely Motives

Cryptocurrency theft: UNC1069 has repeatedly targeted exchanges and crypto firms.

Persistent infiltration: Gaining a foothold on developers' machines for long‑term espionage.

Intelligence gathering: Harvesting open‑source code to facilitate future attacks.

4. Impact Assessment & Defensive Recommendations

4.1 Scope of Impact

"Any developer who downloaded the Axios update during the attack window should assume their system has been compromised."

With a weekly download volume exceeding one hundred million, even a three‑hour exposure could affect tens of thousands of developers.

4.2 Defensive Measures

Immediate actions :

Check for Axios versions installed between 31 Mar and 1 Apr.

Audit npm install logs and the contents of node_modules.

Rotate any exposed API keys, certificates, and credentials.

Long‑term protection :

Lock dependency versions using npm shrinkwrap or pnpm to enforce exact versions.

Integrate Software Composition Analysis (SCA) tools into CI/CD pipelines.

Apply the principle of least privilege; avoid running npm with administrator rights.

Require manual code review for all dependency updates.

5. Conclusion

The Axios supply‑chain breach demonstrates that open‑source ecosystems are a high‑value attack surface. UNC1069 executed a well‑planned, stealthy intrusion that highlights the need for zero‑trust assumptions across dependency chains. Developers should immediately verify their package.json and monitor for the malicious versions 1.7.4 and 1.7.5, which contain a base64‑encoded loader and a self‑deleting module.

Indicators of Compromise (IOCs)

Malicious npm versions: Axios 1.7.4, Axios 1.7.5

Code signatures: auto‑deleting module, base64‑encoded payload loader