Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Wednesday, April 1, 2026 at 07:44 AM UTC·Source: The Hacker News

Updated: Wednesday, April 1, 2026 at 07:13 PM UTC

Executive Summary

Google has formally attributed the supply chain compromise of the popular Axios npm package to a financially motivated North Korean threat activity cluster tracked as UNC1069. "We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement. "North Korean

Analysis

Source Attribution

Originally published by The Hacker News on Apr 1, 2026.

Related Threats

MEDIUMSupply Chain

Mercor confirms security incident tied to LiteLLM supply chain attack

Although the LiteLLM attack was reportedly tied to a group called TeamPCP, the hacking gang Lapsus$ claimed on its website that it obtained hundreds of gigabytes of Mercor’s data.

1d agoThe Record

MEDIUMSupply Chain

Threat Brief: Widespread Impact of the Axios Supply Chain Attack

Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup. The post Threat Brief: Widespread Impact of the Axios Supply Chain Attack appeared first on Unit 42 .

1d agoUnit 42 (Palo Alto)

LOWSupply Chain

Axios NPM Package Breached in North Korean Supply Chain Attack

A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions. The post Axios NPM Package Breached in North Korean Supply Chain Attack appeared first on SecurityWeek .

1d agoSecurityWeek