DPRK-linked AI supply‑chain theft grows

Software supply-chain attacks used to sound niche. Now they look a lot more like a practical theft machine aimed at developers, crypto projects, and the companies that trust open-source code by default. The new twist is AI — not as magic malware, but as a force multiplier that helps bad code blend in, move faster, and slip through normal review. Over the last few days, researchers tied multiple fresh campaigns to North Korea-linked operators, including a poisoned axios release and an AI-assisted npm campaign called PromptMink. (cloud.google.com) ### What actually happened? Two things landed almost back to back. Google’s threat team said a North Korea-nexus actor it tracks as UNC1069 compromised the maintainer account for axios and, between 00:21 and 03:20 UTC on March 31, 2026, pushed malicious versions 1.14.1 and 0.30.4 with a hidden dependency called `plain-crypto-js`. ReversingLabs, meanwhile, described Pro(cloud.google.com) code insertion to target crypto-adjacent projects. (cloud.google.com) ### Why does axios matter so much? Because axios is everywhere. Google said the affected axios lines typically see more than 100 million and 83 million weekly downloads. That means even a short-lived compromise can hit developer laptops, CI runners, and production build systems at absurd scale. In the axios case, the malicious dependency dropped a backdoor called WAVESHAPER.V2 across Windows, macOS, and Linux. (cloud.google.com) ### Where does AI fit in? Not in the scary movie sense. The more believable version is worse — AI helps make malicious changes look routine. ReversingLabs said a February 28, 2026 commit co-authored by Anthropic’s Claude Opus added `@solana-launchpad/sdk` to an open-source autonomous crypto trading project, which then pulled in the actual payload package, `@validate-sd(cloud.google.com)mouflage. (labs.cloudsecurityalliance.org) ### What were they trying to steal? Pretty much the developer kingdom. Panther’s April 24 write-up on a related DPRK-linked npm wave said the packages targeted crypto wallets and key material, cloud credentials, SSH keys, browser cookies, Telegram sessions, `.npmrc` credentials, and local `.env` files. Some variants also wrote attacker-controlled SSH keys into `authorized_keys`, which turns a quick smash-and-grab into longer access. (panther.com) ### Is phishing still the front door? Yes — a lot of the time. Even when the visible payload is an npm package, the initial break-in often starts with social engineering: fake recruiters, fake companies, fake coding tests, or stolen maintainer credentials. Google said the axios incident involved a compromised maintainer account. The broader DPRK playbook around crypto theft also leans heavily on social engineering and then laundering at scale once the money moves. (cloud.google.com) ### How big is the money side? Huge. The FBI said North Korea was responsible for the theft of about $1.5 billion from Bybit on February 21, 2025. Chainalysis said DPRK-linked hackers stole about $1.34 billion across 47 incidents in 2024, and the Bybit theft alone exceeded that annual total. That does not prove every npm campaign leads straight to a billion-dollar heis(cloud.google.com)rger financial attacks. (ic3.gov) ### So what changed? The old model was “phish a person, steal a secret.” The newer model is “phish a person, poison the code they publish, and let downstream trust do the spreading.” Panther tracked 108 malicious npm packages and 261 versions in just one DPRK-linked wave from March 20 to April 20, 2026. That is less a one-off hack than a package factory. (panther.com)ottom line? This is not really an “AI threat” story. It is a trust-chain story. North Korean operators are getting better at blending human deception, open-source abuse, and AI-assisted code changes into one workflow. The result is simple — compromise one developer, and you may get a whole software ecosystem for free. (cloud.google.com)