North Korea Hid 1,700 Malicious Packages Inside Your Dev Team's Tools
npm. PyPI. Go. Rust. PHP. All five ecosystems. Simultaneously. North Korea's Contagious Interview operation just executed the most comprehensive open-source supply chain poisoning campaign ever documented, and then compromised Axios, the JavaScript library with 100 million weekly downloads.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Socket Security researcher Kirill Boychenko published intelligence on April 7, 2026 documenting a new cluster within North Korea's long-running Contagious Interview campaign: twelve confirmed malicious packages and two sleeper packages deployed simultaneously across npm, PyPI, Go Modules, crates.io (Rust), and Packagist (PHP). All reused the same staging infrastructure and loader patterns. All functioned as malware loaders designed to fetch platform-specific second-stage payloads delivering infostealers and remote access trojans.
This is not a new campaign. It is an expansion of one. Socket's tracker for Contagious Interview now lists more than 1,700 malicious packages tied to the activity. The April cluster is a small slice of that total, but it is the first time the operation has been documented pushing coordinated, simultaneous packages across five separate registries using shared infrastructure and identical loader logic.
And that is only half the story. A separate, more consequential operation targeted Axios, the most popular JavaScript HTTP client in the world, present in an estimated 80% of cloud environments, by compromising its lead maintainer through a weeks-long social engineering campaign, then using the stolen publishing credentials to inject a backdoor into a live npm package with 100 million weekly downloads.
The packages: what was confirmed across five ecosystems
The packages were published under GitHub aliases including golangorg, aokisasakidev, and aokisasakidev1, with supporting persona networks under maxcointech1010 and maxcointech0000. They impersonated common developer utilities, debug loggers, license validators, HTTP libraries, names chosen because they sound like the kind of thing a developer installs without a second thought.
Socket reported all identified live packages to the affected registries and submitted takedown requests for associated GitHub accounts. The crates.io security team removed logtrace under advisory RUSTSEC-2026-0081. The Go Security team blocked the identified malicious modules. The npm security team removed the aokisasakidev packages. At time of reporting, some packages had been removed. Others remained live.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The Axios operation: when North Korea compromised 100 million downloads
The Contagious Interview cross-ecosystem cluster is only one part of a broader offensive. A separate, even more consequential operation targeted Axios, the most popular JavaScript HTTP client library in the world, with approximately 100 million weekly downloads and present in an estimated 80% of cloud environments.
This attack was not a fake package. It was a compromised legitimate one. UNC1069 ran a multi-week social engineering campaign targeting Jason Saayman, the lead maintainer of Axios. They built rapport across messaging platforms, masqueraded as credible contacts, and eventually delivered a remote access trojan that gave them persistent access to his development environment, and the long-lived npm access token that Axios used for publishing.
The Axios maintainer described the campaign as 'extremely well coordinated, looked legit, and was done in a professional manner.' Any engineer who maintains open-source packages with high download counts is a priority target.
Weeks prior, Social engineering campaign begins
UNC1069 builds rapport with Axios maintainer Jason Saayman via Telegram, LinkedIn, and Slack, impersonating credible contacts. A convincing fake meeting link delivers a RAT, giving persistent access to his workstation and the long-lived npm publishing token.
Mar 30, 05:57 UTC, Decoy package pre-staged
A clean version of plain-crypto-js@4.2.0 is published 18 hours early to establish trust in the npm ecosystem. Deliberate pre-staging, not opportunism.
Mar 30, 23:59 UTC, Payload version published
plain-crypto-js@4.2.1, containing the SILKBELL dropper and WAVESHAPER.V2 RAT, is published to npm.
Mar 31, 00:21 UTC, Axios account takeover and poisoned release
Using the stolen long-lived npm token, attacker publishes axios@1.14.1 and axios@0.30.4, injecting plain-crypto-js@4.2.1 as a runtime dependency. Maintainer's email changed to ifstap@proton.me, locking out the legitimate developer. Any project with ^1.14.0 or ^0.30.0 in package.json automatically installs the backdoored version.
Mar 31, 01:50 UTC, Elastic Security detects and discloses
Automated supply-chain monitoring detects the compromise within approximately six minutes. Elastic files a GitHub Security Advisory and coordinates disclosure with npm and the Axios maintainers.
Mar 31, 03:20 UTC, Malicious versions removed
Both backdoored versions are taken down after approximately three hours. Any environment that ran npm install during that window should be treated as fully compromised.
Apr 1, 2026, Google GTIG formally attributes to UNC1069
Google's Threat Intelligence Group publicly attributes the Axios compromise to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018, based on WAVESHAPER.V2 usage and C2 infrastructure overlaps.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The payload: WAVESHAPER.V2
The second-stage payload deployed across both the ecosystem packages and the Axios compromise is WAVESHAPER.V2, a cross-platform RAT with variants for Windows (PowerShell), macOS (native C++ Mach-O binary), and Linux (Python). It is a direct evolution of WAVESHAPER, a backdoor previously attributed exclusively to UNC1069 and historically deployed against the cryptocurrency sector.
Once installed, WAVESHAPER.V2 beacons to its C2 server every 60 seconds using Base64-encoded JSON. The hardcoded user-agent spoofs Internet Explorer 8 on Windows XP, a trivially detectable anomaly on any modern network and an immediate flag in EDR telemetry on macOS and Linux hosts.
WAVESHAPER.V2 supports four commands: kill (terminate the process), rundir (enumerate directory listings), runscript (execute AppleScript, PowerShell, or shell commands), and peinject (execute arbitrary binaries in memory). Target data: cloud credentials, SSH keys, AWS secrets, Kubernetes tokens, and cryptocurrency wallet files.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The threat actor: UNC1069 / Sapphire Sleet / BlueNoroff
The operation is attributed with high confidence to UNC1069, a financially motivated North Korea-nexus threat actor that Google's Mandiant unit has tracked since at least 2018. The group overlaps with several other tracked aliases across different vendor naming conventions, all describing the same cluster of activity: Sapphire Sleet, BlueNoroff, Stardust Chollima, Alluring Pisces, CageyChameleon, CryptoCore, MASAN, and GhostCall.
UNC1069's defining characteristic, per Microsoft, is operating multi-week, low-pressure social engineering campaigns across Telegram, LinkedIn, and Slack, either impersonating known contacts or credible brands, or by leveraging access to previously compromised accounts, before delivering a fraudulent Zoom or Microsoft Teams meeting link.
The Security Alliance (SEAL) blocked 164 UNC1069-linked domains impersonating Microsoft Teams and Zoom services between February 6 and April 7, 2026 alone.
“What we are seeing consistently is ongoing evolution in how DPRK-linked, financially motivated actors operate, shifts in tooling, infrastructure, and targeting, but with clear continuity in behavior and intent.”
Microsoft Threat Intelligence, Direct Assessment
Why your CI/CD pipeline is the real attack surface
Supply chain attacks against developer tooling work because of a fundamental assumption baked into modern software delivery: that packages from trusted registries can be installed automatically without manual review. CI/CD pipelines pull dependencies, resolve version ranges, and run install hooks without pausing to ask whether the code being fetched is safe.
The postinstall hook is particularly significant. npm, PyPI, and other package managers support hooks that execute arbitrary code when a package is installed, before the developer ever imports or runs the package's advertised functionality. In the Axios attack, the malicious payload executed via plain-crypto-js's postinstall hook the moment npm install ran. The developer never saw a prompt, never ran the malicious code explicitly, and in many cases never knew the package was installed at all, because it was a transitive dependency two levels deep.
What made the Axios attack possible was a compound vulnerability in the trust model. The Axios project used OIDC Trusted Publishing, which is the correct modern approach. But the GitHub Actions workflow still had a long-lived NPM_TOKEN environment variable present. npm defaults to the token if present, allowing the attacker, who had stolen that token via the maintainer's compromised workstation, to bypass the OIDC provenance mechanism entirely.
“This is a well-resourced, prolific, systematic factory-model supply chain threat that treats npm, PyPI, and VS Code as renewable initial access channels into developer environments.”
Socket Security, April 7, 2026
What to do right now
Eight immediate actions for your security and engineering teams:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
The combination of the Contagious Interview ecosystem packages and the Axios maintainer compromise tells a coherent strategic story. The typosquatting campaign requires a developer to make a mistake, installing the wrong package. The maintainer compromise required no developer mistake at all. It required only that Axios had 100 million weekly downloads, that its maintainer was reachable on Telegram and LinkedIn, and that a long-lived npm token existed as a fallback.
North Korea has built a factory-model capability for poisoning open-source supply chains at scale, 1,700 packages across five ecosystems, with shared infrastructure, identical loader logic, and now confirmed access to a library present in 80% of cloud environments. The capability is fully operational.
The correct response is not to treat this as an npm problem or a Python problem or a Go problem. It is a trust model problem that runs through every package registry where automated CI/CD systems install dependencies without human review. The attack surface is every software project that has ever run npm install, pip install, go get, cargo add, or composer require, and resolved a version range automatically.
Any environment that ran npm install between March 31, 00:21 and 03:20 UTC and resolved to axios@1.14.1 or axios@0.30.4 should be treated as fully compromised regardless of whether active C2 communication was observed. The malware self-deletes after execution. Absence of artifacts does not mean absence of compromise.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
How many malicious packages did North Korea deploy?
Socket Security documented over 1,700 malicious packages tied to North Korea's Contagious Interview campaign across five package ecosystems: npm, PyPI, Go Modules, crates.io (Rust), and Packagist (PHP).
Was the Axios npm package compromised?
Yes. UNC1069, a North Korean threat actor, compromised the Axios maintainer through social engineering and injected a backdoor into a live release. Axios has over 100 million weekly downloads and is present in approximately 80% of cloud environments.
How do I check if my project is affected?
Audit your direct and transitive dependencies against the confirmed malicious package list. Check for any Axios versions published between March 30 and March 31, 2026. Hunt for WAVESHAPER.V2 artifacts across endpoints and review CI/CD pipeline logs for the affected time windows.
What is WAVESHAPER.V2 and how do I detect it?
WAVESHAPER.V2 is the second-generation malware loader deployed by North Korea's UNC1069 through the compromised Axios npm package and the broader Contagious Interview campaign packages. It fetches and executes a platform-specific second-stage payload delivering infostealers and remote access trojans. Detection: search endpoint telemetry for processes spawned from Node.js or package manager contexts that make outbound network connections to non-registry domains, and hunt file system writes from npm install scripts to temp or hidden directories.
What is the Contagious Interview campaign?
Contagious Interview is a long-running North Korean threat operation, attributed to UNC1069 and linked to the Lazarus Group, that targets software developers through fake job interviews. Attackers pose as recruiters and ask candidates to complete a coding challenge that requires installing a malicious npm package. The April 2026 cluster expanded the operation to five package ecosystems simultaneously (npm, PyPI, Go Modules, crates.io, Packagist) with over 1,700 total malicious packages documented by Socket Security's tracker.
Sources & references
- Socket Security
- Google GTIG / Mandiant
- Elastic Security
- Microsoft Threat Intelligence
- The Security Alliance (SEAL)
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
