ACTIVE CAMPAIGN | NATION-STATE THREAT
Active ThreatUpdated 14 min read

North Korea Hid 1,700 Malicious Packages Inside Your Dev Team's Tools

npm. PyPI. Go. Rust. PHP. All five ecosystems. Simultaneously. North Korea's Contagious Interview operation just executed the most comprehensive open-source supply chain poisoning campaign ever documented, and then compromised Axios, the JavaScript library with 100 million weekly downloads.

Sources:Socket Security|Google GTIG / Mandiant|Elastic Security|Microsoft Threat Intelligence|The Security Alliance (SEAL)
1,700+
Malicious packages tracked
5
Ecosystems hit simultaneously
100M+
Weekly Axios downloads at risk
2018
UNC1069 active since

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Socket Security researcher Kirill Boychenko published intelligence on April 7, 2026 documenting a new cluster within North Korea's long-running Contagious Interview campaign: twelve confirmed malicious packages and two sleeper packages deployed simultaneously across npm, PyPI, Go Modules, crates.io (Rust), and Packagist (PHP). All reused the same staging infrastructure and loader patterns. All functioned as malware loaders designed to fetch platform-specific second-stage payloads delivering infostealers and remote access trojans.

This is not a new campaign. It is an expansion of one. Socket's tracker for Contagious Interview now lists more than 1,700 malicious packages tied to the activity. The April cluster is a small slice of that total, but it is the first time the operation has been documented pushing coordinated, simultaneous packages across five separate registries using shared infrastructure and identical loader logic.

And that is only half the story. A separate, more consequential operation targeted Axios, the most popular JavaScript HTTP client in the world, present in an estimated 80% of cloud environments, by compromising its lead maintainer through a weeks-long social engineering campaign, then using the stolen publishing credentials to inject a backdoor into a live npm package with 100 million weekly downloads.

The packages: what was confirmed across five ecosystems

The packages were published under GitHub aliases including golangorg, aokisasakidev, and aokisasakidev1, with supporting persona networks under maxcointech1010 and maxcointech0000. They impersonated common developer utilities, debug loggers, license validators, HTTP libraries, names chosen because they sound like the kind of thing a developer installs without a second thought.

Socket reported all identified live packages to the affected registries and submitted takedown requests for associated GitHub accounts. The crates.io security team removed logtrace under advisory RUSTSEC-2026-0081. The Go Security team blocked the identified malicious modules. The npm security team removed the aokisasakidev packages. At time of reporting, some packages had been removed. Others remained live.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The Axios operation: when North Korea compromised 100 million downloads

The Contagious Interview cross-ecosystem cluster is only one part of a broader offensive. A separate, even more consequential operation targeted Axios, the most popular JavaScript HTTP client library in the world, with approximately 100 million weekly downloads and present in an estimated 80% of cloud environments.

This attack was not a fake package. It was a compromised legitimate one. UNC1069 ran a multi-week social engineering campaign targeting Jason Saayman, the lead maintainer of Axios. They built rapport across messaging platforms, masqueraded as credible contacts, and eventually delivered a remote access trojan that gave them persistent access to his development environment, and the long-lived npm access token that Axios used for publishing.

The Axios maintainer described the campaign as 'extremely well coordinated, looked legit, and was done in a professional manner.' Any engineer who maintains open-source packages with high download counts is a priority target.

1

Weeks prior, Social engineering campaign begins

UNC1069 builds rapport with Axios maintainer Jason Saayman via Telegram, LinkedIn, and Slack, impersonating credible contacts. A convincing fake meeting link delivers a RAT, giving persistent access to his workstation and the long-lived npm publishing token.

2

Mar 30, 05:57 UTC, Decoy package pre-staged

A clean version of plain-crypto-js@4.2.0 is published 18 hours early to establish trust in the npm ecosystem. Deliberate pre-staging, not opportunism.

3

Mar 30, 23:59 UTC, Payload version published

plain-crypto-js@4.2.1, containing the SILKBELL dropper and WAVESHAPER.V2 RAT, is published to npm.

4

Mar 31, 00:21 UTC, Axios account takeover and poisoned release

Using the stolen long-lived npm token, attacker publishes axios@1.14.1 and axios@0.30.4, injecting plain-crypto-js@4.2.1 as a runtime dependency. Maintainer's email changed to ifstap@proton.me, locking out the legitimate developer. Any project with ^1.14.0 or ^0.30.0 in package.json automatically installs the backdoored version.

5

Mar 31, 01:50 UTC, Elastic Security detects and discloses

Automated supply-chain monitoring detects the compromise within approximately six minutes. Elastic files a GitHub Security Advisory and coordinates disclosure with npm and the Axios maintainers.

6

Mar 31, 03:20 UTC, Malicious versions removed

Both backdoored versions are taken down after approximately three hours. Any environment that ran npm install during that window should be treated as fully compromised.

7

Apr 1, 2026, Google GTIG formally attributes to UNC1069

Google's Threat Intelligence Group publicly attributes the Axios compromise to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018, based on WAVESHAPER.V2 usage and C2 infrastructure overlaps.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The payload: WAVESHAPER.V2

The second-stage payload deployed across both the ecosystem packages and the Axios compromise is WAVESHAPER.V2, a cross-platform RAT with variants for Windows (PowerShell), macOS (native C++ Mach-O binary), and Linux (Python). It is a direct evolution of WAVESHAPER, a backdoor previously attributed exclusively to UNC1069 and historically deployed against the cryptocurrency sector.

Once installed, WAVESHAPER.V2 beacons to its C2 server every 60 seconds using Base64-encoded JSON. The hardcoded user-agent spoofs Internet Explorer 8 on Windows XP, a trivially detectable anomaly on any modern network and an immediate flag in EDR telemetry on macOS and Linux hosts.

WAVESHAPER.V2 supports four commands: kill (terminate the process), rundir (enumerate directory listings), runscript (execute AppleScript, PowerShell, or shell commands), and peinject (execute arbitrary binaries in memory). Target data: cloud credentials, SSH keys, AWS secrets, Kubernetes tokens, and cryptocurrency wallet files.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The threat actor: UNC1069 / Sapphire Sleet / BlueNoroff

The operation is attributed with high confidence to UNC1069, a financially motivated North Korea-nexus threat actor that Google's Mandiant unit has tracked since at least 2018. The group overlaps with several other tracked aliases across different vendor naming conventions, all describing the same cluster of activity: Sapphire Sleet, BlueNoroff, Stardust Chollima, Alluring Pisces, CageyChameleon, CryptoCore, MASAN, and GhostCall.

UNC1069's defining characteristic, per Microsoft, is operating multi-week, low-pressure social engineering campaigns across Telegram, LinkedIn, and Slack, either impersonating known contacts or credible brands, or by leveraging access to previously compromised accounts, before delivering a fraudulent Zoom or Microsoft Teams meeting link.

The Security Alliance (SEAL) blocked 164 UNC1069-linked domains impersonating Microsoft Teams and Zoom services between February 6 and April 7, 2026 alone.

What we are seeing consistently is ongoing evolution in how DPRK-linked, financially motivated actors operate, shifts in tooling, infrastructure, and targeting, but with clear continuity in behavior and intent.

Microsoft Threat Intelligence, Direct Assessment

Why your CI/CD pipeline is the real attack surface

Supply chain attacks against developer tooling work because of a fundamental assumption baked into modern software delivery: that packages from trusted registries can be installed automatically without manual review. CI/CD pipelines pull dependencies, resolve version ranges, and run install hooks without pausing to ask whether the code being fetched is safe.

The postinstall hook is particularly significant. npm, PyPI, and other package managers support hooks that execute arbitrary code when a package is installed, before the developer ever imports or runs the package's advertised functionality. In the Axios attack, the malicious payload executed via plain-crypto-js's postinstall hook the moment npm install ran. The developer never saw a prompt, never ran the malicious code explicitly, and in many cases never knew the package was installed at all, because it was a transitive dependency two levels deep.

What made the Axios attack possible was a compound vulnerability in the trust model. The Axios project used OIDC Trusted Publishing, which is the correct modern approach. But the GitHub Actions workflow still had a long-lived NPM_TOKEN environment variable present. npm defaults to the token if present, allowing the attacker, who had stolen that token via the maintainer's compromised workstation, to bypass the OIDC provenance mechanism entirely.

This is a well-resourced, prolific, systematic factory-model supply chain threat that treats npm, PyPI, and VS Code as renewable initial access channels into developer environments.

Socket Security, April 7, 2026

What to do right now

Eight immediate actions for your security and engineering teams:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The combination of the Contagious Interview ecosystem packages and the Axios maintainer compromise tells a coherent strategic story. The typosquatting campaign requires a developer to make a mistake, installing the wrong package. The maintainer compromise required no developer mistake at all. It required only that Axios had 100 million weekly downloads, that its maintainer was reachable on Telegram and LinkedIn, and that a long-lived npm token existed as a fallback.

North Korea has built a factory-model capability for poisoning open-source supply chains at scale, 1,700 packages across five ecosystems, with shared infrastructure, identical loader logic, and now confirmed access to a library present in 80% of cloud environments. The capability is fully operational.

The correct response is not to treat this as an npm problem or a Python problem or a Go problem. It is a trust model problem that runs through every package registry where automated CI/CD systems install dependencies without human review. The attack surface is every software project that has ever run npm install, pip install, go get, cargo add, or composer require, and resolved a version range automatically.

Any environment that ran npm install between March 31, 00:21 and 03:20 UTC and resolved to axios@1.14.1 or axios@0.30.4 should be treated as fully compromised regardless of whether active C2 communication was observed. The malware self-deletes after execution. Absence of artifacts does not mean absence of compromise.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

How many malicious packages did North Korea deploy?

Socket Security documented over 1,700 malicious packages tied to North Korea's Contagious Interview campaign across five package ecosystems: npm, PyPI, Go Modules, crates.io (Rust), and Packagist (PHP).

Was the Axios npm package compromised?

Yes. UNC1069, a North Korean threat actor, compromised the Axios maintainer through social engineering and injected a backdoor into a live release. Axios has over 100 million weekly downloads and is present in approximately 80% of cloud environments.

How do I check if my project is affected?

Audit your direct and transitive dependencies against the confirmed malicious package list. Check for any Axios versions published between March 30 and March 31, 2026. Hunt for WAVESHAPER.V2 artifacts across endpoints and review CI/CD pipeline logs for the affected time windows.

What is WAVESHAPER.V2 and how do I detect it?

WAVESHAPER.V2 is the second-generation malware loader deployed by North Korea's UNC1069 through the compromised Axios npm package and the broader Contagious Interview campaign packages. It fetches and executes a platform-specific second-stage payload delivering infostealers and remote access trojans. Detection: search endpoint telemetry for processes spawned from Node.js or package manager contexts that make outbound network connections to non-registry domains, and hunt file system writes from npm install scripts to temp or hidden directories.

What is the Contagious Interview campaign?

Contagious Interview is a long-running North Korean threat operation, attributed to UNC1069 and linked to the Lazarus Group, that targets software developers through fake job interviews. Attackers pose as recruiters and ask candidates to complete a coding challenge that requires installing a malicious npm package. The April 2026 cluster expanded the operation to five package ecosystems simultaneously (npm, PyPI, Go Modules, crates.io, Packagist) with over 1,700 total malicious packages documented by Socket Security's tracker.

Sources & references

  1. Socket Security
  2. Google GTIG / Mandiant
  3. Elastic Security
  4. Microsoft Threat Intelligence
  5. The Security Alliance (SEAL)

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.