North Korean UNC1069 Hijacks Axios npm Package in Targeted Supply Chain Attack
What Happened — The maintainer of the widely‑used Axios JavaScript library confirmed that a North Korean‑linked threat group (UNC1069) successfully compromised the npm package through a highly‑targeted social‑engineering campaign. Malicious code was injected into the package and published to the public npm registry, exposing any downstream applications that automatically pull the latest version.
Why It Matters for TPRM —
- Supply‑chain compromise of a core developer library can cascade to thousands of downstream SaaS and on‑premise applications.
- Attackers leveraged social engineering to obtain maintainer credentials, bypassing traditional code‑review controls.
- The incident underscores the need for continuous monitoring of third‑party open‑source components used by vendors.
Who Is Affected — Technology SaaS providers, cloud‑native platforms, fintech, health‑tech, and any organization that incorporates Axios into its software stack.
Recommended Actions —
- Audit all applications that depend on Axios and pin to a known‑good version.
- Verify the maintainer’s account activity and rotate any associated credentials or tokens.
- Implement SBOM (Software Bill of Materials) tracking and automated alerts for upstream package changes.
Technical Notes — Attack vector: targeted social engineering leading to stolen maintainer credentials; vector code mapped to STOLEN_CREDENTIALS. No public CVE; the malicious payload was a back‑door script inserted into the package’s source. Data types potentially exposed include API keys, user credentials, and internal business logic. Source: https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html