Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Google's Threat Intelligence Group (GTIG) has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat activity cluster tracked by Google as a financially motivated group with a documented history of targeting software developers, cryptocurrency infrastructure, and open-source package ecosystems.

The attribution was confirmed by John Hultquist, chief analyst at Google Threat Intelligence Group, who stated: "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069."

About UNC1069

UNC1069 is a Google GTIG designation for a North Korean-linked threat cluster focused primarily on financial gain through developer ecosystem compromise. Unlike some DPRK-affiliated groups that focus on espionage or destructive operations, UNC1069 specialises in:

Supply chain attacks against widely used developer packages and tools
Credential theft from developer environments — targeting cloud keys, npm tokens, GitHub tokens, and cryptocurrency wallet keys
Trojanised developer tooling — embedding backdoors in legitimate-looking packages, installers, or development utilities
Cryptocurrency theft — using access to developer infrastructure to steal cryptocurrency held by companies or individuals

UNC1069 is believed to operate alongside other DPRK cyber units as part of North Korea's broader strategy of using cybercrime to generate foreign currency revenue in the face of international sanctions.

The Attribution Basis

Google's attribution of the Axios attack to UNC1069 is based on a combination of:

Attribution Factor	Detail
Tactics, Techniques, and Procedures (TTPs)	Consistent with prior UNC1069 supply chain operations
Infrastructure overlap	Command and control infrastructure linked to known UNC1069 campaigns
Malware similarity	Backdoor code shares characteristics with UNC1069 implants observed in previous attacks
Target selection pattern	High-value npm packages with broad developer ecosystem reach — consistent with UNC1069's targeting philosophy
Token abuse technique	Long-lived legacy token bypass method previously used in UNC1069 operations

The Attack Mechanism Revisited

The Axios breach followed a sophisticated but reproducible pattern:

1. UNC1069 identifies long-lived npm publish token for the Axios package
   (likely via credential theft, phishing, or prior developer environment compromise)
 
2. Attackers use the legacy token to publish backdoored versions of Axios
   directly to the npm registry — bypassing the project's GitHub Actions OIDC
   controls which require short-lived, workflow-bound tokens
 
3. Backdoored versions are downloaded by developers and CI/CD pipelines
   worldwide that automatically resolve and install updated dependencies
 
4. The backdoor executes in developer environments and CI/CD runners,
   providing UNC1069 with access to environment variables, credentials,
   source code, and build artifacts
 
5. Harvested credentials — cloud keys, deploy tokens, NPM tokens —
   are used for further compromise, cryptocurrency theft, or sold

North Korea's Software Supply Chain Strategy

The Axios attack is the latest in a sustained DPRK campaign targeting the software supply chain as a force multiplier. By compromising a single high-value package used by millions of developers, UNC1069 and related groups can:

Scale their reach exponentially — one compromised package touches millions of installations
Achieve persistence across organisations — the backdoor runs wherever the package is installed
Access high-value secrets at scale — CI/CD environments hold cloud keys, deploy credentials, and signing certificates
Operate without direct targeting — the attack is automated via the normal npm install workflow

DPRK Supply Chain Attack	Package / Target	Scale
Axios (UNC1069)	axios (npm) — hundreds of millions of downloads/week	Global
Lazarus GraphAlgo	npm/PyPI crypto packages	Blockchain developers
UNC4899 airdrop	Trojanised crypto developer tools	DeFi ecosystem
Notepad++ (China APT-overlap)	Windows developer tooling	Windows developers globally
cline-cli (OpenClaw)	AI development tools	AI/ML developers

Google's Role in Threat Attribution

Google GTIG's formal attribution serves several purposes beyond academic intelligence:

Disruption — Public attribution raises the reputational and diplomatic cost for North Korea
Defender enablement — Detailed attribution gives defenders specific TTPs to hunt for in their environments
Industry coordination — GTIG shares attribution details with law enforcement, other cloud providers, and npm/GitHub security teams to enable coordinated response
Policy context — Attribution feeds into government-level sanctions and policy responses to DPRK cyber operations

Hultquist's public statement reflects GTIG's standard practice of public disclosure once sufficient confidence exists and disclosure serves the defender community.

What Organisations Should Do Now

Immediate: Verify Your Axios Installation

# Check axios version in your projects
npm list axios
npm ls axios --all 2>/dev/null
 
# Run npm audit to surface any flagged packages
npm audit
 
# Verify package signatures if using npm 9+
npm audit signatures

Short-Term: Rotate Exposed Credentials

If any environment installed a backdoored axios version:

Rotate all CI/CD secrets — cloud provider keys, deploy tokens, npm tokens
Audit GitHub repository secrets for leaked credentials
Review cloud provider access logs for unusual API calls
Rotate npm publish tokens for any packages your organisation maintains

Long-Term: Supply Chain Hardening

# Enable npm provenance for packages you publish
# In GitHub Actions workflow:
# permissions:
#   id-token: write  # Required for provenance
 
# Use npm ci in CI/CD (enforces lockfile, prevents unexpected version resolution)
npm ci
 
# Implement dependency review in GitHub Actions
# .github/workflows/dependency-review.yml

For Package Maintainers: Token Hygiene

The Axios attack exploited a legacy token that outlived its usefulness. Package maintainers should:

Audit all npm tokens — revoke any not tied to an active CI/CD workflow
Migrate to OIDC-based publishing via GitHub Actions or equivalent
Enable npm Provenance to cryptographically link published packages to their source repo and workflow
Set up npm security alerts for unexpected publish activity

References

Source: The Hacker News — April 1, 2026

About UNC1069

Supply chain attacks against widely used developer packages and tools
Credential theft from developer environments — targeting cloud keys, npm tokens, GitHub tokens, and cryptocurrency wallet keys
Trojanised developer tooling — embedding backdoors in legitimate-looking packages, installers, or development utilities
Cryptocurrency theft — using access to developer infrastructure to steal cryptocurrency held by companies or individuals

The Attribution Basis

Google's attribution of the Axios attack to UNC1069 is based on a combination of:

Attribution Factor	Detail
Tactics, Techniques, and Procedures (TTPs)	Consistent with prior UNC1069 supply chain operations
Infrastructure overlap	Command and control infrastructure linked to known UNC1069 campaigns
Malware similarity	Backdoor code shares characteristics with UNC1069 implants observed in previous attacks
Target selection pattern	High-value npm packages with broad developer ecosystem reach — consistent with UNC1069's targeting philosophy
Token abuse technique	Long-lived legacy token bypass method previously used in UNC1069 operations

The Attack Mechanism Revisited

The Axios breach followed a sophisticated but reproducible pattern:

1. UNC1069 identifies long-lived npm publish token for the Axios package
   (likely via credential theft, phishing, or prior developer environment compromise)
 
2. Attackers use the legacy token to publish backdoored versions of Axios
   directly to the npm registry — bypassing the project's GitHub Actions OIDC
   controls which require short-lived, workflow-bound tokens
 
3. Backdoored versions are downloaded by developers and CI/CD pipelines
   worldwide that automatically resolve and install updated dependencies
 
4. The backdoor executes in developer environments and CI/CD runners,
   providing UNC1069 with access to environment variables, credentials,
   source code, and build artifacts
 
5. Harvested credentials — cloud keys, deploy tokens, NPM tokens —
   are used for further compromise, cryptocurrency theft, or sold

North Korea's Software Supply Chain Strategy

Scale their reach exponentially — one compromised package touches millions of installations
Achieve persistence across organisations — the backdoor runs wherever the package is installed
Access high-value secrets at scale — CI/CD environments hold cloud keys, deploy credentials, and signing certificates
Operate without direct targeting — the attack is automated via the normal npm install workflow

DPRK Supply Chain Attack	Package / Target	Scale
Axios (UNC1069)	axios (npm) — hundreds of millions of downloads/week	Global
Lazarus GraphAlgo	npm/PyPI crypto packages	Blockchain developers
UNC4899 airdrop	Trojanised crypto developer tools	DeFi ecosystem
Notepad++ (China APT-overlap)	Windows developer tooling	Windows developers globally
cline-cli (OpenClaw)	AI development tools	AI/ML developers

Google's Role in Threat Attribution

Google GTIG's formal attribution serves several purposes beyond academic intelligence:

Disruption — Public attribution raises the reputational and diplomatic cost for North Korea
Defender enablement — Detailed attribution gives defenders specific TTPs to hunt for in their environments
Industry coordination — GTIG shares attribution details with law enforcement, other cloud providers, and npm/GitHub security teams to enable coordinated response
Policy context — Attribution feeds into government-level sanctions and policy responses to DPRK cyber operations

Hultquist's public statement reflects GTIG's standard practice of public disclosure once sufficient confidence exists and disclosure serves the defender community.

What Organisations Should Do Now

Immediate: Verify Your Axios Installation

# Check axios version in your projects
npm list axios
npm ls axios --all 2>/dev/null
 
# Run npm audit to surface any flagged packages
npm audit
 
# Verify package signatures if using npm 9+
npm audit signatures

Short-Term: Rotate Exposed Credentials

If any environment installed a backdoored axios version:

Rotate all CI/CD secrets — cloud provider keys, deploy tokens, npm tokens
Audit GitHub repository secrets for leaked credentials
Review cloud provider access logs for unusual API calls
Rotate npm publish tokens for any packages your organisation maintains

Long-Term: Supply Chain Hardening

# Enable npm provenance for packages you publish
# In GitHub Actions workflow:
# permissions:
#   id-token: write  # Required for provenance
 
# Use npm ci in CI/CD (enforces lockfile, prevents unexpected version resolution)
npm ci
 
# Implement dependency review in GitHub Actions
# .github/workflows/dependency-review.yml

For Package Maintainers: Token Hygiene

The Axios attack exploited a legacy token that outlived its usefulness. Package maintainers should:

Audit all npm tokens — revoke any not tied to an active CI/CD workflow
Migrate to OIDC-based publishing via GitHub Actions or equivalent
Enable npm Provenance to cryptographically link published packages to their source repo and workflow
Set up npm security alerts for unexpected publish activity

References

Source: The Hacker News — April 1, 2026

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

About UNC1069

The Attribution Basis

The Attack Mechanism Revisited

North Korea's Software Supply Chain Strategy

Google's Role in Threat Attribution

What Organisations Should Do Now

Immediate: Verify Your Axios Installation

Short-Term: Rotate Exposed Credentials

Long-Term: Supply Chain Hardening

For Package Maintainers: Token Hygiene

References

Axios NPM Package Breached in North Korean Supply Chain Attack

Attack on Axios Developer Tool Threatens Widespread Compromises

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

About UNC1069

The Attribution Basis

The Attack Mechanism Revisited

North Korea's Software Supply Chain Strategy

Google's Role in Threat Attribution

What Organisations Should Do Now

Immediate: Verify Your Axios Installation

Short-Term: Rotate Exposed Credentials

Long-Term: Supply Chain Hardening

For Package Maintainers: Token Hygiene

References

Axios NPM Package Breached in North Korean Supply Chain Attack

Attack on Axios Developer Tool Threatens Widespread Compromises

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account