Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC1069 Axios npm supply-chain campaign targeting build pipelines

Campaign
First reported
Last updated
Happening score
H score 45
2 unique sources, 2 articles

Summary

Hide ▲

The Axios npm supply-chain compromise has been tied to UNC1069, putting npm consumers and downstream build pipelines at risk from trojanized releases. Attackers seized the maintainer's account and pushed malicious 1.14.1 and 0.30.4 versions that inserted plain-crypto-js. The delivery chain used a postinstall hook and a SILKBELL dropper to stage payloads for Windows, macOS, and Linux. The operation's reach and multi-platform design make it a reusable template for software supply-chain abuse rather than a one-off package issue.

Related Happenings

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Timeline

  1. 13.04.2026 20:39 1 articles · 2mo ago

    OpenAI rotates macOS code-signing certificates after Axios attack

    Mitigation Patch Update

    OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.

    Show sources
  2. 01.04.2026 10:44 1 articles · 3mo ago

    Google attributes Axios npm supply-chain compromise to UNC1069

    Initial Disclosure

    Google attributed the Axios npm package supply-chain compromise to UNC1069, a suspected North Korean threat cluster, after attackers hijacked the maintainer's npm account and pushed trojanized 1.14.1 and 0.30.4 releases that added plain-crypto-js and enabled SILKBELL and WAVESHAPER.V2 payload delivery for Windows, macOS, and Linux systems.

    Show sources