A suspected North Korean hacker has hijacked and modified a popular open source software development tool to deliver malware that could put millions of developers at risk of being hacked.
On Monday, a hacker promoted malicious versions of the widely used JavaScript library called Axios, which developers rely on to allow their software to connect to the Internet. The affected library was hosted on npma software repository that stores code for open source projects. Axios downloaded tens of millions of times every week.
The hijacking was detected and stopped in about three hours overnight Monday into Tuesday, according to security firm StepSecurity. who analyzed the attack.
Hackers are increasingly targeting developers of popular open source projects in an attempt to mass hack anyone who relies on the compromised code, giving hackers access to huge numbers of affected devices. These types of widespread breaches are called supply chain attacks because they target software that allows hackers to then hack anyone who downloaded the compromised software. In recent years, hackers have targeted companies like 3CX, Kaseya, and SolarWinds, as well as open source tools like Log4j and Polyfill.io, to target large numbers of their users.
It is unclear at this point how many people downloaded the malicious version of Axios during that time period. The Aikido security company, which also investigated the incidentsaid that anyone who downloaded the code “should assume that their system has been compromised.”
Google told TechCrunch that its security researchers are linking the Axios compromise to North Korean hackers.
“We have attributed the attack to a suspected North Korean threat actor we are monitoring as UNC1069said John Hultquist, the principal analyst for Google’s Threat Intelligence Group. “North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrencies. The full scope of this incident is still unclear, but given the popularity of the compromised package, we expect it to have far-reaching effects.”
Techcrunch event
San Francisco, California
|
13-15 October 2026
Contact us
Do you have more information about this hack? Or other supply chain attacks? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
The hacker was able to inject malicious code into Axios, compromising the account of one of the project’s main developers, who was authorized to push updates. The hacker replaced the legitimate developer’s email address on the account with his own, making it harder for the developer to regain access.
Once in control of the account, the hacker injected malicious code designed to deliver a remote access trojan, or RAT — essentially malware that can give hackers complete, remote control of the victim’s computer. The hacker then released new versions of Axios in a legitimate update for Windows, macOS and Linux users.
Hackers also designed the malware, as well as some of the code used to deliver it, to automatically delete itself after installation in an attempt to hide from anti-malware engines and researchers, according to security researchers.
Updated to include information from Google about performance in North Korea.
