Suspected North Korean Actor Linked to Major NPM Supply Chain Attack, Google Warns

A recent software supply chain attack involving the widely used axios npm package has been attributed to a suspected North Korean threat actor, underscoring growing concerns about the security of open-source ecosystems relied on by Australian organisations. According to the Google Threat Intelligence Group (GTIG), the attack is not connected to the previously reported TeamPCP […]

Security Awareness | Security Operations | Threat Intelligence

Posted: Thursday, Apr 02

KBI.Media
$
Suspected North Korean Actor Linked to Major NPM Supply Chain Attack, Google Warns

Suspected North Korean Actor Linked to Major NPM Supply Chain Attack, Google Warns

A recent software supply chain attack involving the widely used axios npm package has been attributed to a suspected North Korean threat actor, underscoring growing concerns about the security of open-source ecosystems relied on by Australian organisations.

According to the Google Threat Intelligence Group (GTIG), the attack is not connected to the previously reported TeamPCP activity, but instead linked to a separate actor tracked as UNC1069.

“GTIG is investigating the axios supply chain attack, an incident unrelated to the recent TeamPCP supply chain issues. We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” said John Hultquist, Chief Analyst at GTIG.

The axios library is one of the most commonly used JavaScript packages globally, embedded in thousands of enterprise and commercial applications. Its compromise highlights the systemic risks posed by third-party dependencies in modern software development.

Hultquist noted that the tactics align with long-standing North Korean cyber operations.

“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” he said. “The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”

For organisations across Australia and New Zealand, the incident reinforces warnings from the Australian Cyber Security Centre (ACSC) around software supply chain vulnerabilities and the increasing sophistication of state-backed actors.

Supply chain attacks allow adversaries to compromise trusted software components, enabling them to infiltrate multiple organisations simultaneously without directly targeting each victim. This technique has become increasingly attractive as enterprises accelerate digital transformation and rely more heavily on open-source tools.

Security experts from Mandiant and GTIG have advised organisations to strengthen visibility into software dependencies, monitor for unusual package behaviour, and implement stricter controls around code integrity and updates.

The incident also reflects a broader trend in which North Korean-linked groups expand beyond financial theft into more complex and scalable attack vectors, including the compromise of widely distributed software components.

As investigations continue, organisations are being urged to review their exposure to affected packages and ensure rapid patching and remediation processes are in place.