Axios supply chain allegedly targeted by North Korean hackers, with the aim of locking onto corporate crypto assets.

Mandiant, a cybersecurity firm under Google, confirmed that a suspected North Korean hacker group is responsible for this week’s Tuesday axios supply-chain attack incident. The attackers compromised the developer account of the open-source software axios, and during an approximately three-hour window on Tuesday morning, pushed malicious updates to all organizations that downloaded the software. The goal was to steal corporate encrypted assets to fund North Korea’s nuclear weapons and missile programs.

Attack Execution Details: The Precise Three-Hour Supply-Chain Strike

The hackers’ actions demonstrated the high-efficiency characteristics of software supply-chain attacks. The attackers first gained control of the axios open-source software developer’s account, and immediately used that legitimate identity to disguise a version containing malicious code as a legitimate update push. During that three-hour window, when any organization’s automated systems performed routine updates, they would deploy this backdoored version without knowing it.

Ben Read, strategic threat intelligence director at Google’s Wiz company, noted: “North Korea isn’t worried about its reputation or about eventually being identified, so even though these kinds of actions are very attention-grabbing, they’re still willing to pay this price.”

Huntress security researcher John Hammond also said the timing was “just right,” pointing directly to the fact that organizations are adopting AI agents for software development in large quantities, “with no review or constraints,” making supply-chain vulnerabilities easier to be systematically exploited.

Investigation Findings: Scope of Victims and Future Attack Direction

Current investigations reveal threats across multiple dimensions:

Affected devices: Huntress has identified about 135 compromised devices, belonging to around 12 companies—estimated to be only a small fraction of the actual scale of victims

Assessment timeline: Charles Carmakal, CTO of Mandiant, warned that a full assessment of the impact of this attack may take months

Next attack direction: Mandiant expects the attackers will use the stolen credentials and system access permissions to further target and steal corporate encrypted assets for theft

Supply-chain vulnerabilities: Hammond noted that “too many people no longer pay attention to what components make up the software they use, and this creates a huge vulnerability for the entire supply chain”

Historical Background: A Systematic Upgrade of North Korea’s Digital Theft

This axios attack is the latest example of Pyongyang’s systematic penetration of software supply-chain systems. Three years ago, suspected North Korean agents infiltrated another widely popular voice and video software provider; last year, North Korean hackers stole $1.5 billion worth of cryptocurrency in a single attack, setting a historical record at the time for cryptocurrency hacker cases.

Reports from the United Nations and multiple private organizations show that over the past several years, North Korean hackers have stolen tens of billions of dollars from banks and cryptocurrency companies. In 2023, a White House official disclosed that about half of the funding for North Korea’s missile program came from this type of digital theft, giving this security threat direct international strategic implications.

Frequently Asked Questions

What is axios, and why did it become the target of this supply-chain attack?

axios is a widely used JavaScript npm core package (the attacked version is 1.14.1). It helps developers handle HTTP requests for websites and is adopted by thousands of healthcare, financial, and technology companies. Its extremely high download volume makes it a high-value target for supply-chain attacks—compromising a developer account can push malicious code to a large number of downstream organizations within a few hours.

What specific risks does this attack pose to cryptocurrency companies?

Mandiant’s assessment indicates that the attackers will use the stolen credentials to further infiltrate enterprises holding encrypted assets. Cryptocurrency companies and technology enterprises that use an infected version of axios may, without knowing it, provide the attackers with backdoors into internal systems, putting wallet private keys, API keys, and transaction credentials at risk of being stolen.

How should companies assess and respond to this axios supply-chain attack?

It is recommended to immediately carry out the following steps: verify whether the version of axios in your systems is the attacked version; review the software update logs during the time of the attack (the three-hour window on Tuesday morning); scan for any abnormal credential access or external connection behavior; and contact security organizations such as Huntress and Mandiant for professional assessment.