Log In Get Started
Economy March 31, 2026

Invisible infrastructure compromised in supply-chain attack tied to North Korean hackers

Malicious code slipped into an update to Axios, an open-source utility that quietly powers many web and app functions, Google says

By Caleb Monroe
Invisible infrastructure compromised in supply-chain attack tied to North Korean hackers

Google and independent cybersecurity firms said hackers linked to North Korea inserted malware into an update for Axios, an open-source software library used widely to connect web services and apps. The injected code, since removed, could have captured credentials and other data and was built to run on macOS, Windows and Linux. Google attributes the operation to a group it tracks as UNC1069 and notes the attack follows a pattern of supply-chain intrusions used to steal cryptocurrency.

Key Points

  • Attackers inserted malware into an Axios update, an open-source library widely used to connect apps and web services.
  • Google attributes the operation to UNC1069, which has targeted cryptocurrency and financial sectors, and Microsoft-linked analysts say North Korean actors use such attacks to steal cryptocurrency.
  • Malware variants were prepared for macOS, Windows and Linux, and Elastic Security warned the delivery mechanism had "potential reach into millions of environments."

Overview

Google reported on Tuesday that cyber actors tied to North Korea compromised an update to Axios, a little-seen but widely used piece of open-source software that facilitates communication between applications and web services. Security researchers who analyzed the incident said the attackers added their own malicious program to an Axios update issued on Monday, enabling the code to run in environments that load the library.

How the intrusion worked

According to researchers, the injected malware was designed to collect data from infected machines, including login credentials. That information can be leveraged to conduct further intrusions, data theft, or other operations. The malicious code has been removed from the compromised update, researchers said.

Tom Hegel, a senior researcher at SentinelOne, emphasized Axios' pervasiveness: "Every time you load a website, check your bank balance, or open an app on your phone, there’s a good chance Axios is running somewhere in the background making that work." Hegel warned that because the software is trusted and runs automatically in many contexts, users do not need to click anything or take any other action for an infection to occur.

Attribution and motive

Google attributed the hack to a group it monitors as UNC1069. In a February report cited by Google, the group has been active since at least 2018 and has targeted the cryptocurrency and financial sectors. John Hultquist, chief analyst for Google's threat intelligence group, said: "North Korean hackers have deep experience with supply chain attacks, which they primarily use to steal cryptocurrency."

The article notes that stolen cryptocurrency is used by North Korea to fund weapons and other programs and to evade sanctions, according to the U.S. government. North Korea’s mission to the U.N. did not immediately respond to a request for comment.

Scope and technical details

Security firm Elastic Security published an analysis showing the attackers prepared versions of the malware that could run on macOS, Windows and Linux. Elastic said the attackers' approach "gained a delivery mechanism with potential reach into millions of environments." It was not clear how many times the malicious update was downloaded.

The developers of Axios could not immediately be reached for comment. Efforts to contact the hackers were unsuccessful.

Summary note - The breach is being treated as a supply-chain attack: compromises at the software source that can enable downstream intrusions into organizations and devices that consume the affected code.

Risks

  • Supply-chain compromises can enable intrusions across many organizations and devices without user action, affecting software, tech and financial sectors.
  • Stolen credentials captured by the malware could be used for further data theft or additional cyber operations, posing risks to companies relying on Axios.
  • Uncertainty remains about the number of downloads and the full scope of downstream infections, leaving exposure and remediation requirements unclear for impacted entities.

More from Economy

Quarter Closes on a Surge as Middle East De-escalation Hopes Lift Markets Mar 31, 2026 Brazil Doubles Gold Holdings, Elevating Metal to Second-Largest Reserve Asset in 2025 Mar 31, 2026 OpenAI Raises $122 Billion in Landmark Financing Round at $852 Billion Valuation Mar 31, 2026 White House: U.S. Forces Poised to Deter Any Iranian Strikes Mar 31, 2026 Federal Judge Puts Trump’s $400 Million White House Ballroom Plan on Hold Mar 31, 2026