Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC1069 Axios npm supply-chain campaign targeting build pipelines

Campaign
First reported
Last updated
Happening score
H score 49
2 unique sources, 2 articles

Summary

Hide ▲

The Axios npm supply-chain compromise has been tied to UNC1069, putting npm consumers and downstream build pipelines at risk from trojanized releases. Attackers seized the maintainer's account and pushed malicious 1.14.1 and 0.30.4 versions that inserted plain-crypto-js. The delivery chain used a postinstall hook and a SILKBELL dropper to stage payloads for Windows, macOS, and Linux. The operation's reach and multi-platform design make it a reusable template for software supply-chain abuse rather than a one-off package issue.

Related Happenings

Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation

Malware Activity
First: 26.05.2026 08:19 Last: 26.05.2026 08:19 Sources 1

About this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Packagist package.json hook supply chain attack campaign

Campaign
First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 13.04.2026 20:39 1 articles · 1mo ago

    OpenAI rotates macOS code-signing certificates after Axios attack

    Mitigation Patch Update

    OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.

    Show sources
    Open in new tab
  2. 01.04.2026 10:44 1 articles · 1mo ago

    Google attributes Axios npm supply-chain compromise to UNC1069

    Initial Disclosure

    Google attributed the Axios npm package supply-chain compromise to UNC1069, a suspected North Korean threat cluster, after attackers hijacked the maintainer's npm account and pushed trojanized 1.14.1 and 0.30.4 releases that added plain-crypto-js and enabled SILKBELL and WAVESHAPER.V2 payload delivery for Windows, macOS, and Linux systems.

    Show sources
    Open in new tab