SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Flux result f452b7e2 77ad 41cf 8342 a15ea8ce623a
#
DevOps
#
Advanced Persistent Threat Protection
#
Supply Chain

Google links axios attack to suspected North Korean actor

Thu, 2nd Apr 2026
Author image
By Mark Tarre, News Chief

Google Threat Intelligence Group has linked the recent axios npm supply chain attack to a suspected North Korean threat actor known as UNC1069. The incident affects one of the world's most widely used JavaScript libraries.

The attribution adds to concerns about software supply chain risk for organisations in Australia and New Zealand, where open-source components are widely embedded in business applications and development pipelines. Because axios is used across thousands of applications, a compromise in the package can spread through multiple downstream environments.

GTIG said the axios incident is separate from the recent TeamPCP supply chain issues and that it is still investigating the extent of the breach and its impact on users of the package.

John Hultquist, Chief Analyst at Google Threat Intelligence Group, said the operation fits a pattern seen in North Korean cyber activity.

"GTIG is investigating the axios supply chain attack, an incident unrelated to the recent TeamPCP supply chain issues. We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," Hultquist said.

Axios is a widely used JavaScript library that developers use to manage requests between applications and services. Its adoption across modern software stacks means any compromise can create exposure far beyond the original infected component.

Supply chain risk

Security specialists have warned for years that trusted third-party software has become an attractive route for attackers seeking broad access. Instead of targeting one company at a time, a successful package compromise can open a path into many organisations at once.

That risk has grown more acute as businesses adopt cloud-native systems, DevOps workflows and AI-assisted development tools. Many organisations rely on large numbers of open-source packages without a complete view of every dependency or equivalent controls around each one.

For organisations in Australia and New Zealand, the axios incident echoes repeated warnings from the Australian Cyber Security Centre and other agencies about third-party software exposure. Supply chain attacks differ from more conventional intrusions because they exploit software that users and internal systems already trust, allowing malicious activity to bypass perimeter controls.

Hultquist said GTIG expects the incident to have broad consequences because of the package's popularity.

"North Korean hackers have deep experience with supply chain attacks, which they've historically used to steal cryptocurrency," Hultquist said. "The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts," added Hultquist.

Immediate steps

Security teams from Mandiant and Google Threat Intelligence Group are urging organisations to review their software dependencies and assess whether affected packages are present in their environments. They recommend improving visibility into third-party components, watching for unusual or unauthorised package behaviour, tightening controls on code integrity and updates, and accelerating patching and remediation.

Those recommendations reflect a broader shift in cyber defence, as businesses move from treating open-source libraries as low-risk building blocks to recognising them as a central part of operational security. Dependency management, code provenance and package monitoring are now core concerns for both software development and information security teams.

The attribution to a suspected North Korean actor also points to a broader shift in the methods used by state-backed groups. Rather than relying only on direct intrusions into specific targets, attackers are increasingly looking for systemic ways to compromise trusted infrastructure or software that can then be distributed at scale.

Investigators are still working to establish the full scope of the axios incident, including how many environments may have been exposed. For companies reviewing their software supply chains, the episode underlines the need to continuously verify the trustworthiness of software components rather than assume commonly used packages are safe by default.

Related stories
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching
IWF & Cyacomb launch workplace abuse material scans
Cork Cyber adds automated mapping to Vantage platform
How Atomgate uses education and partnership to drive successful SonicWall upgrades

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding