You are currently viewing UNC1069 and the Axios npm Attack: Google Reveals North Korean Attribution

UNC1069 and the Axios npm Attack: Google Reveals North Korean Attribution

  • Post author:
  • Reading time:5 mins read

Cybercriminal and nation-state threat actors are increasingly shifting toward developer-ecosystem compromise and software supply chain abuse as a reliable avenue for mass access. Rather than exploiting hardened enterprise perimeters directly, these actors target trusted package repositories, build pipelines, and maintainer accounts, enabling them to reach thousands of downstream organizations in a single operation.

Recent disclosures from Google Threat Intelligence Group (GTIG) reveal that this tactic was at the core of a high-impact supply-chain compromise involving the Axios npm package, a widely used JavaScript HTTP client. Google attributes the attack to UNC1069, a financially motivated North Korea–linked threat actor with a history of targeting cryptocurrency and software supply chains .

Background on UNC1069 Operations

UNC1069 is a North Korean threat cluster active since at least 2018, primarily associated with cryptocurrency theft, supply-compromise, and stealthy, financially motivated intrusions. Unlike opportunistic malware campaigns, UNC1069 operations emphasize:

  • Compromising trusted software distribution channels
  • Abuse of maintainer credentials and release workflows
  • Multi-platform payload development (Windows, macOS, Linux)
  • Built-in forensic cleanup and self-deletion
  • Long-term monetization potential rather than immediate disruption

Google and partner organizations assess UNC1069 activities as highly planned, with tooling reuse and operational discipline consistent with state-aligned development resources.

Campaign Overview

The Axios npm attack represents a deliberate and coordinated supply-chain intrusion, not a one-off compromise. Attackers gained access to the Axios maintainer’s npm account and published trojanized versions targeting both active release branches within a short time window. The primary targets of this campaign are: javaScript developers and CI/CD pipelines, organizations consuming Axios as a dependency and cryptocurrency-adjacent environments.

Timeline and Scope

  • Compromised Versions: Axios 1.14.1 and 0.30.4
  • Delivery Mechanism: Malicious dependency inserted without modifying Axios source code
  • Scale: Potentially widespread impact due to Axios’ popularity in developer environments
  • Objective: Enable covert backdoor deployment across developer and production system

Infection Method

Initial Access

Attackers gained initial access by compromising the npm account of the primary Axios maintainer, enabling them to publish malicious updates through a trusted distribution channel. Using legitimate publishing privileges, they released trojanized Axios versions 1.14.1 and 0.30.4, exposing downstream users during routine dependency installs.

Exploitation

No zero-day or known vulnerabilities were exploited. Instead, the attackers abused npm’s trusted dependency resolution and lifecycle scripts, allowing a malicious transitive dependency (plain-crypto-js) to execute automatically and bypass source code reviews and CI/CD checks, as Axios source files were unchanged.

Payload Delivery

A malicious postinstall script embedded in the injected dependency executed an obfuscated Node.js dropper, which downloaded and deployed platform-specific RAT payloads for Windows, macOS, and Linux. The payload leveraged native scripting tools and performed self-cleanup to evade detection.

Execution & Persistence

Execution occurred automatically during installation without user interaction. Persistence relied on lightweight mechanisms, including registry-based startup scripts on Windows and follow-on command execution, combined with forensic cleanup to remove malicious artifacts.

Command-and-Control (C2)

C2 was handled via centralized remote servers using structured HTTP communications with 60-second beaconing intervals. Infrastructure and tooling showed overlap with prior UNC1069 (WAVESHAPER) campaigns and supported command execution, file enumeration, and payload deployment.

Key Characteristics of the Attack

  • Abuse of npm postinstall hooks for execution
  • Payload-free initial installation with background execution
  • Cross-platform backdoor deployment logic
  • Replacement of malicious configuration files post-execution to evade detection
  • Infrastructure reuse consistent with previously attributed UNC1069 campaigns

Indicators of Compromise (IOCs)

The following infrastructure has been identified as being used by the UNC1069 campaign associated with the Axios npm supply-chain attack for command-and-control (C2) and malicious payload delivery:

  • Domain: sfrclak[.]com
  • IP Address: 142.11.206[.]73
  • C2 Infrastructure: sfrclak[.]com (IP: 142.11.206[.]73) was used by UNC1069 to deliver WAVESHAPER.V2, a cross-platform backdoor (PowerShell on Windows, Mach-O on macOS, Python on Linux) via a malicious npm dependency executed during installation.
  • Tools Used: Obfuscated Node.js dropper (SILKBELL), npm postinstall scripts, PowerShell, AppleScript, Unix shell/Python, and HTTP-based JSON C2 communication.

MITRE ATT&CK Mapping

  • TA0001 – Initial Access: Software supply-chain compromise via npm
  • TA0002 – Execution: Postinstall script abuse
  • TA0005 – Defense Evasion: Self-deleting droppers and file restoration
  • TA0011 – Command and Control: Encrypted JSON-based C2 polling
  • TA0008 – Lateral Movement: Follow-on payload capability post-deployment
  • T1195.001 Supply Chain Compromise: via a compromised npm maintainer account to publish trojanized Axios packages.

Visual Flow

Maintainer Account Compromise -> Trojanized Axios Release -> Malicious Dependency (plain-crypto-js)
-> Postinstall Execution -> SILKBELL Dropper -> WAVESHAPER.V2 Backdoor -> Persistent C2-Enabled Access

Mitigation

  • Audit Dependency Trees: Identify compromised Axios versions.
  • Pin Known-Good Versions: Enforce strict package-lock validation.
  • Monitor Build Pipelines: Detect unexpected postinstall activity.
  • Hunt for IOCs: Search for plain-crypto-js artifacts and noted C2 indicators.
  • Credential Rotation: Treat exposed environments and secrets as compromised.
  • Broaden Supply Chain Monitoring: Extend scrutiny beyond npm to other registries such as PyPI and NuGet .

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.