North Korea-linked hackers suspected in Axios open-source hijack, Google analysts say

North Korea-aligned hackers are believed to have seized a widely-used, open-source JavaScript library, Google intelligence analysts said Tuesday, in a move that could put a significant number of software developers at risk of system compromise.

The hackers introduced compromised versions of Axios, a popular open-source JavaScript library, on Monday. Developers use the package, which is downloaded millions of times weekly, to enable internet connectivity for their software. The open-source library is not related to the national news organization also named Axios.

Security firm StepSecurity detected and halted the hack within a few hours of its deployment between late Monday and early Tuesday.

Google’s Threat Intelligence Group is investigating the attack and has attributed it to a suspected North Korean group they track as UNC1069, said John Hultquist, the group’s chief analyst.

“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts,” Hultquist added.

Rather than tampering with Axios itself, the attackers slipped in rogue code that executed during installation, bringing in a cross-platform remote access trojan, according to StepSecurity. The malware immediately reached out to a command-and-control server, deployed additional payloads and then wiped its own tracks, making detection difficult.

“This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” the StepSecurity blog says, referring to packaged collections of JavaScript code.

A supply chain attack occurs when hackers compromise a third-party software or service provider to distribute malware to its users downstream. The attack on Axios could give hackers remote access to infected systems, allowing them to steal credentials, move through networks and potentially compromise connected software used by thousands of other users.

Both the FBI and the Cybersecurity and Infrastructure Security Agency declined comment when contacted by Nextgov/FCW. It’s not immediately clear if that campaign has directly impacted U.S. government systems, though the attack vector could raise concerns for federal agencies and contractors that rely on widely used open-source packages.

Chinese, Russian and North Korean-affiliated hackers have been covertly working to insert backdoor hijacks and exploits into major publicly available software used by countless organizations, developers and governments around the world, according to findings released last August from Strider Technologies.

Open-source projects — which underpin software systems used everywhere — rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers, who chat with one another about proposed changes.

Historically, community practices have operated under the premise that all contributors are benevolent. But that notion was challenged in 2024 when a user dubbed “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies.

In December, the chairman of the Senate Intelligence Committee asked the White House national cyber director to take steps to address vulnerabilities in open-source software projects that help power many systems used in U.S. military and civilian agencies.

Last August, Nextgov/FCW first reported that a Russia-based Yandex employee was the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built software packages in the Department of Defense.