UNC1069 supply chain incidents
Financially motivated North Korea-nexus actor (Google Threat Intelligence Group designation; tracked by Microsoft as Sapphire Sleet) publicly attributed to the 2026 axios npm maintainer-account compromise.
Also tracked as: Sapphire Sleet, CryptoCore
3 confirmed incidents publicly associated with this group. Attribution reflects what the cited sources state; it is recorded for filtering, not asserted by this site.
- activecritical
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
A maintainer account for the widely-used axios npm package was compromised and used to publish poisoned versions 1.14.1 and 0.30.4. The malicious releases contained a hidden dependency that drops a cross-platform remote access trojan (RAT).
UNC1069npmAccount takeoverCompromised package - resolvedcritical
Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack
StepSecurity detected a compromise of axios, described as the largest npm supply chain attack on a single package by download count. A state-sponsored threat actor is reported to have actively suppressed warnings by deleting GitHub issues. Detection occurred before public disclosure.
UNC1069npmCompromised packageMalicious maintainer - activehigh
Axios NPM Distribution Compromised in Supply Chain Attack
A compromised axios maintainer account led to malicious npm releases affecting projects with active dependencies on the package. The incident involved unauthorized releases propagated through the npm distribution network.
UNC1069npmAccount takeoverMalicious commit