{"id":3435,"date":"2026-04-01T07:15:00","date_gmt":"2026-04-01T14:15:00","guid":{"rendered":"https:\/\/www.wiki-living.com\/index.php\/2026\/04\/01\/hundreds-of-thousands-of-stolen-secrets-may-have-been-exposed-as-a-result-of-this-latest-attack-google-says-north-korean-hackers-behind-massive-axios-attack\/"},"modified":"2026-04-02T01:16:40","modified_gmt":"2026-04-02T08:16:40","slug":"hundreds-of-thousands-of-stolen-secrets-may-have-been-exposed-as-a-result-of-this-latest-attack-google-says-north-korean-hackers-behind-massive-axios-attack","status":"publish","type":"post","link":"https:\/\/www.wiki-living.com\/index.php\/2026\/04\/01\/hundreds-of-thousands-of-stolen-secrets-may-have-been-exposed-as-a-result-of-this-latest-attack-google-says-north-korean-hackers-behind-massive-axios-attack\/","title":{"rendered":"&#8216;Hundreds of thousands of stolen secrets may have been exposed as a result of this latest attack&#8217;: Google says North Korean hackers behind massive Axios attack"},"content":{"rendered":"<p><br \/>\n<\/p>\n<div id=\"article-body\">\n<hr id=\"elk-54425299-9868-4e7b-bdf0-4b832cd766a2\"\/>\n<ul id=\"elk-37371436-2def-4ae7-9aa8-8a83bddecc16\">\n<li><strong>Google Threat Intelligence Group warns of supply chain attack on Axios npm library<\/strong><\/li>\n<li><strong>Malicious &#8220;plain-crypto-js&#8221; dependency installed by WAVESHAPER.V2 backdoor on Windows, macOS, and Linux<\/strong><\/li>\n<li><strong>The points are from the North Korean group UNC1069, which is known for its long-running campaigns targeting cryptocurrency and software developers.<\/strong><\/li>\n<\/ul>\n<hr id=\"elk-8dbe621e-e72e-43e2-b795-586a376ec8a9\"\/>\n<p id=\"elk-89c0b648-03f6-49c6-8191-1d03c5b8b6df\">North Korean government-sponsored threat actors are targeting the popular npm package in an attempt to infect its users with malware.<\/p>\n<p>In a security advisory, Google&#8217;s Threat Intelligence Group (GTIG) said it was monitoring &#8220;active software attacks&#8221; targeting Axios, &#8220;a JavaScript library widely used to simplify HTTP requests&#8221;. Simplify tasks like calling APIs, catching responses, and handling errors compared to using built-in tools like fetch or XMLHttpRequest.<\/p>\n<aside data-block-type=\"embed\" data-render-type=\"fte\" data-skip=\"dealsy\" data-widget-type=\"seasonal\" class=\"hawk-root\"\/>\n<p id=\"elk-89c0b648-03f6-49c6-8191-1d03c5b8b6df-2\">The hackers targeted two versions of the package &#8211; 1.14.1 and 0.30.4 &#8211; which Google says typically have more than 100 million and 83 million weekly downloads, respectively. They attempted to introduce a malicious dependency called &#8220;plain-crypto-js&#8221;, a mysterious dropper that releases the WAVESHAPER.V2 backdoor on all Windows, macOS, and Linux operating systems.<\/p>\n<p><span class=\"article-continues-below block py-2 text-sm\">The article continues below <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" class=\"inline-block w-2.5 h-2.5 ml-2\" fill=\"currentColor\" preserveaspectratio=\"xMidYMid meet\" viewbox=\"0 0 1000 1000\"><path d=\"M1000 100L500 900 0 100h1000z\"\/><\/svg><\/span><\/p>\n<aside data-component-name=\"Recirculation:ArticleRiver\" data-recirculation-type=\"inline\" data-mrf-recirculation=\"Trending Bar\" data-nosnippet=\"\" class=\"clear-both pb-0 pt-2 mb-4\">\n        <span class=\"&#10;            flex&#10;            after:content-[''] after:flex-1 after:ml-4 after:my-[0.7rem] after:border-t after:border-solid after:border-t-[#ccc]&#10;            before:content-[''] before:flex-1 before:mr-4 before:my-[0.7rem] before:border-t before:border-solid before:border-t-[#ccc]&#10;            font-article-heading pb-0 !text-base uppercase sm:text-sm font-bold&#10;        \"><\/p>\n<p>            You might like it<br \/>\n        <\/span><\/p>\n<\/aside>\n<h2 id=\"tying-it-to-north-korea-3\">Tying it to North Korea<\/h2>\n<p id=\"elk-5c28a411-fdb4-4a55-ac70-48e3056654bf\">Google described WAVESHAPER.V2 as a \u201cfully functional RAT\u201d, capable of rescanning (extracts telemetry), command execution (physical memory executable injection and arbitrary shell commands), and system enumeration (returns detailed metadata).<\/p>\n<p>It was written in C++, but other versions were available, written in PowerShell and Python, to target different environments.<\/p>\n<p>It was this backdoor that led Google to conclude that this was a campaign sponsored by North Korea. GTIG said WAVESHAPER.V2 is an updated version of WAVESHAPER, a backdoor previously used by a North Korea-nexus threat actor called UNC1069.<\/p>\n<p>&#8220;In addition, an analysis of the infrastructure used in this attack shows overlap with the infrastructure used by UNC1069 in previous operations,&#8221; Google said.<\/p>\n<div id=\"slice-container-newsletterForm-articleInbodyContent-Tf9wYUH2R8WnMaEAJjsVe7\" class=\"slice-container newsletter-inbodyContent-slice newsletterForm-articleInbodyContent-Tf9wYUH2R8WnMaEAJjsVe7 slice-container-newsletterForm\">\n<div data-hydrate=\"true\" class=\"newsletter-form__wrapper newsletter-form__wrapper--inbodyContent\">\n<div class=\"newsletter-form__container\">\n<section class=\"newsletter-form__top-bar\"\/>\n<section class=\"newsletter-form__main-section\">\n<p class=\"newsletter-form__strapline\">Sign up for the TechRadar Pro newsletter to get all the top news, ideas, features and guidance your business needs to succeed!<\/p>\n<\/section>\n<\/div>\n<\/div>\n<\/div>\n<p>UNC1069 has apparently been active since at least 2018, making it one of the longest running threat actors out there. At the beginning of this year, <u>The Mandiant <\/u>you&#8217;ve seen a combination of compromised Telegram accounts, fake Zoom calls, deepfake videos, and half a dozen types of malware used, to target organizations in the cryptocurrency sector and steal their crypto stacks.<\/p>\n<hr id=\"elk-29e03ae4-e5a9-4034-bada-b28b84b48186\"\/>\n<div id=\"slice-container-person-Tf9wYUH2R8WnMaEAJjsVe7-bDCx2DJ9Ku29ICneR1vaguxsG301L0Bi\" class=\"slice-container person-wrapper person-Tf9wYUH2R8WnMaEAJjsVe7-bDCx2DJ9Ku29ICneR1vaguxsG301L0Bi slice-container-person\">\n<div class=\"person person--separator\">\n<div class=\"person__avatar-block\">\n<figure class=\"image-wrapped__wrapper\" data-bordeaux-image-check=\"false\">\n<div class=\"image-wrapped__widthsetter\" style=\"max-width:none\">\n<div class=\"image-wrapped__aspect-padding\" style=\"padding-bottom:56.25%\">\n<div style=\"display:contents\"><picture data-hydrate=\"false\"><source class=\"person__avatar image-wrapped__image image__image\" type=\"image\/webp\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png.webp 140w\" sizes=\"99vw\" data-normal=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-original-mos=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-media=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-nopin=\"true\" data-slice-image=\"true\"><source class=\"person__avatar image-wrapped__image image__image\" type=\"image\/png\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png 140w\" sizes=\"99vw\" data-normal=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-original-mos=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-media=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-nopin=\"true\" data-slice-image=\"true\"><\/source><\/source><\/picture><\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<div class=\"person__heading\">\n<p><span class=\"person__name\">The best antivirus for all budgets<\/span><\/p>\n<aside class=\"person__role\">Our top picks, based on real-world testing and comparison<\/aside>\n<\/div>\n<\/div>\n<\/div>\n<hr id=\"elk-27490ee1-7283-43f4-9bfa-2e4fb1e23304\"\/>\n<p id=\"elk-0183118c-7370-4319-8e3f-ae0dedba742c\"><em><strong>Follow TechRadar for Google news<\/strong><\/em>    again<em> <\/em><em><strong>add us as a favorite resource<\/strong><\/em><em>    to get our expert news, reviews, and opinions in your feed. Be sure to click the Follow button!<\/em><\/p>\n<p><em>And of course you can too <\/em><em><strong>follow TechRadar on TikTok<\/strong><\/em><em>    to get news, reviews, unboxings in video form, and get regular updates from us <\/em><em><strong>WhatsApp<\/strong><\/em><em>    again.<\/em><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Google Threat Intelligence Group warns of supply chain attack on Axios npm library Malicious &#8220;plain-crypto-js&#8221; dependency installed by WAVESHAPER.V2 backdoor on Windows, macOS, and Linux The points are from the North Korean group UNC1069, which is known for its long-running campaigns targeting cryptocurrency and software developers. North Korean government-sponsored threat actors are targeting the popular [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3436,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[],"class_list":{"0":"post-3435","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-smart-home-gadgets"},"_links":{"self":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3435","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/comments?post=3435"}],"version-history":[{"count":1,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3435\/revisions"}],"predecessor-version":[{"id":3437,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3435\/revisions\/3437"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/media\/3436"}],"wp:attachment":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/media?parent=3435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/categories?post=3435"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/tags?post=3435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}