Axios Library Hit by North Korean Hackers, Raising Crypto Theft Concerns
Pyongyang-linked UNC1069 hijacks critical open-source infrastructure to target cryptocurrency enterprises.
A sophisticated cyber-espionage attack linked to North Korean threat actor UNC1069 shocked the global software community after successfully compromising Axios, a widely used JavaScript library.
For three critical hours on Tuesday morning, hackers took over a primary developer’s npm account, pushing infected updates to a package downloaded tens of millions of times weekly.
This precise strike targets the hidden systems of the internet, allowing Pyongyang to steal billions in cryptocurrency from healthcare, finance, and tech firms while avoiding detection with self-deleting malware.
North Korean Hackers Hijack Axios Infrastructure
The breach began when suspected North Korean operatives gained unauthorized access to the npm account of a senior Axios maintainer, identified as Jason Saayman.
Reports from TechCrunch say the attackers locked the developer out by changing his registered email to their own. During this takeover, they published malicious versions 1.14.1 and 0.30.4.
These updates added a hidden dependency called “plain-crypto-js” to deliver the SILKBELL dropper, a tool that secretly installs harmful software on infected systems.
The attack lasted about three hours before being stopped, but the potential impact is serious. Because Axios is widely used across the digital economy to handle web requests, the malicious code reached an unknown number of automated build systems and developer setups worldwide.
Why the UNC1069 Breach Matters Internally
The significance of this attack lies in its “invisible” nature and the extreme trust placed in open-source dependencies.
As Tom Hegel, a senior researcher at SentinelOne, explained to Reuters, Axios runs in the background of almost every modern digital interaction, from checking bank balances to loading mobile applications.
By targeting this key system, UNC1069 gained access to millions of environments without requiring any user to click a suspicious link.
Mandiant, a Google-owned cyber intelligence firm, has linked this activity to North Korea’s broader strategy of funding its nuclear and missile programs through digital theft.
Ben Read, a cybersecurity researcher at Wiz, told CNN that, unlike typical hackers who try to stay hidden, Pyongyang focuses on stealing large amounts of cryptocurrency data rather than avoiding attention.
Experts and Mandiant Detail Attack Mechanics
The technical sophistication of the payload shows a highly organized attacker.
According to The Hacker News, the malware, called WAVESHAPER.V2, is an updated version of earlier North Korean tools, now built to support JSON-based communication and infect across Windows, macOS, and Linux systems.
Charles Carmakal, CTO at Mandiant, warned that the group plans to use the stolen data for a long-term campaign that could take months to fix, per CNN.
John Hammond, security researcher at Huntress, found that the malware was built to automatically delete its own files to avoid detection. He described the hack to CNN as “perfectly timed,” noting that the rise of AI agents, which often pull and use code without human checks, has created an “open door” for these supply chain attacks.
Broader Impact on Global Software Supply
This incident highlights a systemic vulnerability in the global software supply chain beyond the immediate damage to Axios.
According to Reuters, Elastic Security Labs analyzed the delivery mechanism, noting that the attackers prepared payloads for three different operating systems, showing a scalable operation rather than a one-time attack.
Beyond the immediate risk of cryptocurrency theft, the compromise of a package with reported 80 million weekly downloads means the wider impact will spread across the industry for the rest of 2026.
Every organization using these dependencies must now treat any sensitive data or credentials exposed during the breach window as compromised and review their approach to safeguarding sensitive data.
Future Outlook for AI-Driven Cybersecurity
Looking ahead, the integration of artificial intelligence into hacking workflows signals a new phase of persistent threats. Analysts note that detection times are increasing as attackers use AI to continuously modify malicious code and avoid detection.
This Axios breach shows that North Korean groups are already operating at this intersection of automation and infrastructure control.
Organizations are now being urged to move beyond simple updates and adopt a “zero trust” software bill of materials (SBOM) approach to reduce future risk.
