Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Google has formally attributed the supply chain compromise of the widely used Axios npm package to a North Korean threat activity cluster it tracks as UNC1069, The Hacker News reported Wednesday. John Hultquist, chief analyst at Google's Threat Intelligence Group, confirmed the attribution in a statement, saying the attack was carried out by a suspected North Korean actor with financial motivations. Axios is one of the most downloaded JavaScript libraries on the internet, used by millions of applications to handle HTTP requests. The attack involved injecting malicious code into the Axios package distributed via the npm registry, effectively turning a trusted open-source dependency into a delivery mechanism for credential theft. Credentials harvested in this attack were subsequently used in downstream intrusions, including the breach of Cisco's internal development environment disclosed earlier this week. UNC1069 is one of several North Korean-linked threat clusters tracked by U.S. intelligence and private security firms. North Korean state-sponsored hackers have become increasingly sophisticated in targeting software supply chains and developer tooling as a method of scaling access to high-value corporate targets. The attribution adds a geopolitical dimension to what initially appeared to be criminal activity. North Korean hacking operations have historically served dual purposes: intelligence collection for the regime and cryptocurrency theft to fund state operations under sanctions. The Axios compromise is part of a broader wave of npm supply chain attacks that has unsettled the developer community. Security researchers have urged companies to audit their dependency trees and implement software composition analysis tools to detect tampered packages. Google Threat Intelligence Group provided the attribution on April 1, 2026.