North Korea hits backend software

Google’s Threat Intelligence Group says an active supply‑chain compromise inserted a malicious dependency named plain‑crypto‑js into axios releases between 00:21 and 03:20 UTC on March 31, 2026, which deployed an obfuscated dropper that delivered a WAVESHAPER.V2 backdoor to Windows, macOS and Linux systems. (cloud.google.com) (cloud.google.com: ) The attack published two poisoned axios releases — axios@1.14.1 and axios@0.30.4 — that executed a postinstall hook running setup.js (SHA256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09) to drop platform‑specific payloads. (cloud.google.com) (cloud.google.com: ) Google GTIG attributes the operation to UNC1069, a North Korea‑nexus actor active since at least 2018, citing reuse of WAVESHAPER tooling and overlapping infrastructure with prior UNC1069 activity. (cloud.google.com) (cloud.google.com: ) Axios is one of the JavaScript ecosystem’s most‑used libraries (roughly 100 million weekly downloads), the poisoned versions were live for about two to three hours and were pulled after automated scanners flagged the malicious dependency; Wiz estimates roughly 3% of users downloaded the backdoored builds during that window. (trendmicro.com) (trendmicro.com: ) Investigators say the attacker hijacked the lead maintainer’s npm account (the account email was changed to ifstap@proton.me), used a long‑lived NPM token to publish directly via the npm CLI (bypassing GitHub Actions OIDC protections), and pre‑staged plain‑crypto‑js as a registry artifact ~18 hours before the axios publish. (securityweek.com) (securityweek.com: ) Technical reports show the dropper provided remote shell, code‑injection, process and directory enumeration capabilities and attempted anti‑forensics by replacing malicious files with clean decoys after execution, meaning compromised build agents, CI/CD runners or automated deployments could have become persistent footholds. (securityweek.com) (securityweek.com: )