North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

    Wednesday, April 1, 2026 In: Threat Research Print

    Date: 04/01/2026

    Severity: High

    Summary

    A software supply chain attack targeted the widely used axios NPM package by injecting a malicious dependency, plain-crypto-js, into specific versions, impacting millions of users. The malicious code acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems. The activity is attributed to UNC1069, a financially motivated North Korea-linked threat actor, highlighting the risk of large-scale compromise through trusted open-source ecosystems.

    Indicators of Compromise (IOC) List

    Domains/Urls

    sfrclak.com

    http://sfrclak.com:8000

    http://sfrclak.com:8000/6202033

    IP Address

    142.11.206.73

    23.254.167.216

    Hash

    fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf

    92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a

    617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101

    ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c

    e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09

    f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd

    58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://sfrclak.com:8000" or siteurl like "http://sfrclak.com:8000" or url like "http://sfrclak.com:8000" or domainname like "sfrclak.com" or siteurl like "sfrclak.com" or url like "sfrclak.com" or domainname like "http://sfrclak.com:8000/6202033" or siteurl like "http://sfrclak.com:8000/6202033" or url like "http://sfrclak.com:8000/6202033"

    Detection Query 2 :

    dstipaddress IN ("23.254.167.216","142.11.206.73") or srcipaddress IN ("23.254.167.216","142.11.206.73")

    Detection Query 3 :

    sha256hash IN ("fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf","58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668","f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd","ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c","e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09","92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a","617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101")

    Reference:    

    https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package     


    Tags

    MalwareThreat ActorNorth KoreanSupply chain attackNode Package Manager (NPM)Backdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.