Google Links Axios npm Supply Chain Hack to Suspected North Korean Group
Google threat researchers say a suspected North Korean hacking group tracked as UNC1069 briefly compromised the widely used Axios JavaScript library on npm, turning it into a vehicle for credential‑stealing malware targeting Windows, macOS and Linux. Earlier this week, attackers gained access to a maintainer’s GitHub account and published at least two malicious Axios versions, which were downloaded before being removed about three hours later. Cloud‑security firm Wiz estimates Axios is pulled roughly 100 million times a week and is present in about 80% of cloud and code environments, and has already detected the tainted versions in roughly 3% of the environments it scanned. Although the malicious packages have been taken down, researchers warn the incident could have far‑reaching impacts because compromised code can persist deep in downstream software supply chains. Google also stressed this operation is separate from another major npm supply‑chain attack disclosed last week, underscoring the growing tempo and sophistication of software‑dependency compromises with clear implications for U.S. companies and infrastructure.
📌 Key Facts
- Google linked the Axios npm compromise to suspected North Korean group UNC1069, which has previously targeted crypto and DeFi firms.
- Attackers compromised a maintainer’s GitHub account and published at least two malicious Axios package versions for Windows, macOS and Linux.
- The malicious versions were live for roughly three hours before removal, but Wiz estimates Axios sees ~100 million weekly downloads, is in ~80% of cloud/code environments, and the tainted versions already appear in about 3% of environments it scanned.
📊 Relevant Data
North Korean hackers stole at least $2.02 billion in cryptocurrency in 2025, representing a 51% increase from 2024 and accounting for over half of the total $3.4 billion in global crypto theft that year.
2025 Crypto Theft Reaches $3.4 Billion - Chainalysis — Chainalysis
Supply chain cyber attacks surged by 431% between 2021 and 2023, with projections indicating continued dramatic rises through 2025 and beyond.
Supply chain cyber attacks surge over 400%, expected to continue rising -- Cowbell report — Insurance Business Magazine
North Korea has industrialized cryptocurrency theft as a means to generate revenue for weapons proliferation, sanctions evasion, and other destabilizing activities, with estimated thefts exceeding $6.75 billion cumulatively by 2025.
North Korea and the Industrialization of Cryptocurrency Theft — TRM Labs
The North Korean threat group UNC1069 targets the cryptocurrency industry using AI-enabled social engineering tactics, such as deepfakes and multi-stage malware, to steal credentials and funds.
UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering — Google Cloud Blog
📰 Source Timeline (1)
Follow how coverage of this story developed over time