A hacking campaign linked to North Korea has targeted a lesser-known piece of software that supports many websites and apps behind the scenes. This shows how a deep software supply chain breach can affect many online services.
Google said the attackers broke into Axios, an open-source program that connects apps and web services, by adding malicious code to an update released on March 30.
The aim was to steal login details that could help further cyber attacks.
A hack aimed at software most users never see
What stands out about this incident is the target. Axios is not a popular app or a well-known platform. It is a background software component that helps digital services talk to each other.
Reuters quoted SentinelOne researcher Tom Hegel, who said that whenever someone loads a website, checks a bank balance, or opens an app, there’s a good chance Axios is running somewhere in the background.
This is why researchers quickly called it a supply chain attack. Instead of targeting users directly, the attackers changed software that developers and organizations already trust.
The malicious code has now been removed, but concerns remain. The harmful software could have exposed computer data, including login details, which might be used for further attacks or theft.
The Straits Times said cyber researchers see this incident as dangerous because it could affect people through software they would not normally suspect.
Google ties the operation to a North Korean group
Google linked the attack to a threat group it calls UNC1069.
In a February report, Google said this group has been active since at least 2018 and often targets the cryptocurrency and financial sectors.
Reuters also quoted John Hultquist, chief analyst for Google’s threat intelligence group, who said North Korean hackers have deep experience with supply chain attacks and mainly use them to steal cryptocurrency.
This connection is important for more than just this case. According to the U.S. government, North Korea uses stolen cryptocurrency to fund its weapons programs and avoid sanctions. This means the breach is part of a larger pattern of financially motivated cyber attacks linked to North Korea.
Why supply chain attacks worry defenders
Supply chain attacks are hard to detect because they take advantage of the trust built into modern software development.
Hegel explained that users do not have to click a bad link or make a mistake if the harmful code comes through software they already use. In this case, the attackers changed an Axios update, turning a normal software update into a possible way to spread malware.
Elastic Security’s analysis revealed another concern. The malware was designed to infect macOS, Windows, and Linux, which could make the attack reach even more systems. Elastic said the attacker could potentially reach millions of environments, though Reuters noted it is unclear how many times the malicious software was actually downloaded.
An invisible layer, a very visible risk
Reuters said the Axios developers could not be reached for comment, and attempts to contact the hackers did not work.
Even without a public statement from the software team, this attack shows a common problem in the digital world: some of the most important software is also the least visible to most people.
Axios is open source, so its code can be used and changed by anyone. This makes trust and careful updates especially important.
The main lesson is that cyber risks are not just found in suspicious emails or fake logins. They can also hide inside the software that keeps services running. If this software is compromised, the threat can spread quietly and widely.
This recent breach shows how even a small part of the web’s infrastructure can become a target for state-backed hackers searching for new ways in.
