Verify a decision

{"actor":"system:backfill","investigation_id":"b6254be6-dc3f-47ad-9b36-ca3a0500fe88","kind":"publish","page_slug":"sapphire-sleet-unc1069","published_at":"2026-06-19T23:05:25.697Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Sapphire Sleet / UNC1069","sections":[{"content":"The threat cluster designated Sapphire Sleet by Microsoft and UNC1069 by Google Mandiant is a financially motivated North Korean advanced persistent threat group assessed with high confidence to operate under North Korea's Reconnaissance General Bureau. The group is also tracked by other security vendors under the aliases BlueNoroff, CryptoCore (ClearSky, 2020 report), CageyChameleon, Alluring Pisces, and STARDUST CHOLLIMA (CrowdStrike, with moderate confidence on the axios attribution). Microsoft has noted overlaps with BlueNoroff, which is the financial-theft-focused subunit of the broader Lazarus Group constellation. Google Threat Intelligence assessed the group as active since at least April 2018, with Microsoft dating the Sapphire Sleet designation to at least March 2020. CrowdStrike attributed the March 2026 axios operation to Stardust Chollima with moderate confidence, reflecting some divergence in vendor tracking methodology. The WAVESHAPER backdoor family and associated infrastructure overlaps — including connections from a specific AstrillVPN node previously linked to UNC1069 — form the primary technical basis for the attribution.","heading":"Threat Actor Identity and Attribution","severity":"critical","sources":[{"credibility":2,"name":"Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html"},{"credibility":1,"name":"Mitigating the Axios npm supply chain compromise — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"},{"credibility":2,"name":"Axios npm Supply Chain Attack FAQ: North Korea UNC1069 — Tenable","type":"research","url":"https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069"},{"credibility":2,"name":"Microsoft Threat Intelligence on X — Sapphire Sleet overlaps BlueNoroff, CageyChameleon, CryptoCore","type":"social_media","url":"https://x.com/MsftSecIntel/status/1722316021841764414"}]},{"content":"On March 31, 2026, UNC1069/Sapphire Sleet compromised the npm account of axios primary maintainer @jasonsaayman, changing the associated email to an attacker-controlled ProtonMail address (ifstap@proton.me) and using a stolen long-lived classic access token to bypass legitimate GitHub Actions OIDC workflows. The attack was staged in multiple phases beginning March 30. At 05:57 UTC on March 30, the attacker published a clean decoy package, plain-crypto-js@4.2.0, to establish npm registry presence. At 23:59 UTC the malicious version plain-crypto-js@4.2.1 was published. At 00:05 UTC on March 31, Socket.dev detected the compromise — approximately six minutes after publication. axios@1.14.1 was published at 00:21 UTC and axios@0.30.4 at approximately 01:00 UTC. Both malicious versions were unpublished from the npm registry at approximately 03:15 UTC, yielding an exposure window of roughly three hours. During that window, approximately 600,000 installations of the trojanized packages occurred. The axios package receives over 100 million weekly downloads across its 1.x branch and is present in an estimated 80 percent of cloud environments. CISA formally issued an advisory on April 20, 2026 recommending organizations downgrade to axios@1.14.0 or axios@0.30.3.","heading":"March 31, 2026 Axios npm Supply Chain Attack","severity":"critical","sources":[{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":2,"name":"Axios npm Supply Chain Attack Technical Analysis — Tenable","type":"research","url":"https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069"},{"credibility":2,"name":"What We Learned: Axios NPM Supply Chain Compromise Emergency Briefing — SANS Institute","type":"research","url":"https://www.sans.org/blog/what-we-learned-axios-npm-supply-chain-compromise-emergency-briefing"},{"credibility":2,"name":"Axios npm Supply Chain Attack Technical Analysis — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"}]},{"content":"The malicious dependency plain-crypto-js@4.2.1 contained a postinstall hook that executed an obfuscated JavaScript dropper named SILKBELL (setup.js). SILKBELL employed two-layer obfuscation using string reversal, Base64 encoding, and XOR cipher with the key 'OrDeR_7077' (constant: 333). After executing, SILKBELL fetched platform-specific payloads and self-deleted within approximately 15 seconds, replacing package.json with a decoy package.md to impede forensic recovery. The payload delivered was WAVESHAPER.V2, described by both Microsoft and Google as a cross-platform remote access trojan (RAT) representing an evolution of the previously attributed WAVESHAPER backdoor family. Platform-specific deployment was as follows: on macOS, a C++ Mach-O binary was written to /Library/Caches/com.apple.act.mond to masquerade as an Apple system process; on Windows, a PowerShell RAT was deployed via a VBScript launcher, with persistence established via a registry Run key named 'MicrosoftUpdate' using a copy of the legitimate PowerShell binary renamed to wt.exe stored in %PROGRAMDATA%; on Linux, a Python script was written to /tmp/ld.py and launched via nohup. WAVESHAPER.V2 beaconed to command-and-control infrastructure every 60 seconds via Base64-encoded JSON over HTTP POST, using a User-Agent string spoofing Internet Explorer 8 on Windows XP to evade network detection heuristics. Supported commands include kill, rundir, runscript, and peinject (in-memory binary injection). The implant also distributes HYPERCALL, a Go-based downloader enabling operator-controlled secondary payload staging. Primary C2 infrastructure: domain sfrclak[.]com, IP 142.11.206[.]73 on port 8000. A secondary domain callnrwise[.]com was also identified. StepSecurity's Harden-Runner detected anomalous C2 contact in over 12,000 projects. Huntress identified at least 135 confirmed C2 contact instances. Wiz observed confirmed execution in approximately 3 percent of affected environments.","heading":"WAVESHAPER.V2 Malware: Technical Profile","severity":"critical","sources":[{"credibility":2,"name":"Axios npm Supply Chain Attack: Technical Analysis, IOCs, Detection and Mitigation — Loginsoft","type":"research","url":"https://www.loginsoft.com/post/axios-npm-supply-chain-attack-technical-analysis-iocs-detection-mitigation"},{"credibility":2,"name":"Axios npm Compromised: UNC1069 Deploys Cross-Platform RAT — CSA Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-axios-npm-supply-chain-unc1069-20260401-cs/"},{"credibility":2,"name":"Axios npm Supply Chain Attack Technical Analysis — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"}]},{"content":"UNC1069's primary financial objective is the theft of cryptocurrency and related digital assets. Developer build environments are a high-value target because they routinely contain npm access tokens, cloud provider credentials (AWS keys, Azure credentials), SSH private keys, repository credentials, code signing certificates, environment variable files with database passwords and API secrets, and CI/CD platform tokens. A single compromised developer machine or build pipeline can provide lateral access to production infrastructure, customer data, and financial accounts — outcomes directly aligned with the group's documented cryptocurrency theft focus. CISA's April 2026 advisory confirmed that credentials targeted during the axios compromise included GitHub personal access tokens, AWS keys, Azure credentials, SSH keys, and cloud tokens. The group has historically focused on cryptocurrency exchanges, DeFi platforms, wallet providers, venture capital funds, and blockchain infrastructure. In a February 2026 Google Threat Intelligence report published prior to the axios attack, UNC1069 was documented deploying AI-generated deepfakes, real-time audio impersonation during live video calls, and generative AI tools including Google Gemini to produce phishing lure materials. The group's documented malware arsenal by early 2026 spanned seven families: WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, SUGARLOADER, CHROMEPUSH, and SILENCELIFT.","heading":"Cryptocurrency and Developer Ecosystem Targeting","severity":"critical","sources":[{"credibility":2,"name":"North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html"},{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":1,"name":"UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering — Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"},{"credibility":2,"name":"Axios Poisoned: UNC1069's npm Supply Chain Playbook — CSA Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-unc1069-axios-npm-supply-chain-20260403-cs/"}]},{"content":"UNC1069 has been tracked since at least April 2018. Between 2018 and 2020, the group is estimated to have stolen a minimum of $200 million from cryptocurrency exchanges, primarily in the United States and Japan, according to ClearSky's 2020 CryptoCore report. Prior to the March 2026 axios attack, the group had an established pattern of malicious npm package deployments used for credential and cryptocurrency theft. Since at least 2023, observed UNC1069 targeting expanded toward developer communities building Web3 infrastructure and centralized exchanges. The group's earlier social engineering methods included impersonating venture capitalists feigning investment interest, dispatching malicious script files (.scpt on macOS, .vbs on Windows) under the pretext of fixing meeting connection issues, and impersonating recruiters on professional platforms such as LinkedIn. Microsoft's 2024 CYBERWARCON presentation noted that Sapphire Sleet had stolen over $10 million in cryptocurrency from multiple companies over a six-month period in that reporting window. In a concurrent operation on the same day as the axios compromise (April 1, 2026), a separate DPRK-linked group designated UNC6780 (also tracked as TeamPCP) conducted supply chain poisoning of GitHub Actions and PyPI packages including Trivy, Checkmarx, and LiteLLM, deploying a credential stealer designated SANDCLOCK. The concurrent operations indicate coordinated broader North Korea-nexus targeting of open-source software ecosystems.","heading":"Historical Activity and Prior Campaigns","severity":"high","sources":[{"credibility":1,"name":"Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/"},{"credibility":2,"name":"North Korea-linked APT Sapphire Sleet targets IT job seekers — Security Affairs","type":"news_article","url":"https://securityaffairs.com/154082/apt/sapphire-sleet-apt-targets-it-job-seekers.html"},{"credibility":2,"name":"Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html"},{"credibility":2,"name":"Axios npm Compromised: UNC1069 Deploys Cross-Platform RAT — CSA Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-axios-npm-supply-chain-unc1069-20260401-cs/"}]},{"content":"On April 1, 2026 — the same day that attribution for the axios attack was confirmed — Drift Protocol, a Solana-based decentralized exchange, lost approximately $285 million in a separate DPRK-linked attack attributed with medium confidence to UNC4736 (also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces). The Drift attack was the culmination of a six-month social engineering operation that began in October 2025, when attackers posing as a quantitative trading firm approached protocol contributors at a major crypto conference and built sustained in-person relationships with Security Council members. The attackers exploited Solana's durable nonces mechanism to obtain pre-signed transactions from Security Council members who were unaware they were signing over administrative control. Assets were drained within approximately 10 seconds. This operation, while attributed to a separate DPRK cluster, illustrates the scale and temporal coordination of North Korean state-sponsored cryptocurrency theft operations during the same period as the axios supply chain attack.","heading":"Concurrent DPRK Activity: Drift Protocol $285 Million Hack","severity":"high","sources":[{"credibility":2,"name":"Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"}]},{"content":"The following network and host indicators were published by CISA, Palo Alto Unit 42, and Tenable across coordinated advisories. Network indicators: C2 domain sfrclak[.]com (defanged); secondary domain callnrwise[.]com (defanged); C2 IP address 142.11.206[.]73 on port 8000; URL path /76202033 on C2 host. Malicious npm packages: plain-crypto-js@4.2.1, axios@1.14.1, axios@0.30.4, @shadaani/openclaw, and @qbrowser/openclaw-qbot. File system artifacts: /Library/Caches/com.apple.act.mond (macOS Mach-O binary); %PROGRAMDATA%\\wt.exe (Windows PowerShell copy); /tmp/ld.py (Linux Python RAT). Behavioral indicators: postinstall script execution during npm install or update; beaconing HTTP POST requests with a User-Agent string identifying as Internet Explorer 8 on Windows XP; outbound connections on port 8000 during build processes. Palo Alto Unit 42 published over 20 SHA256 hashes for malware samples across platforms. Organizations are advised to treat any npm access tokens, cloud keys, and SSH keys present on systems that ran axios@1.14.1 or axios@0.30.4 as fully compromised and rotate all such credentials.","heading":"Indicators of Compromise (IoCs)","severity":"critical","sources":[{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":2,"name":"Axios npm Supply Chain Attack Technical Analysis — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":2,"name":"Axios npm Supply Chain Attack FAQ — Tenable","type":"research","url":"https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069"}]},{"content":"CISA's April 20, 2026 advisory recommended organizations take the following steps. Immediately downgrade axios to version 1.14.0 (1.x branch) or 0.30.3 (0.x branch) and pin dependencies in package-lock.json. Rotate all credentials potentially exposed on systems that ran the affected versions, including npm tokens, AWS keys, Azure credentials, SSH keys, GitHub personal access tokens, and CI/CD secrets. Block C2 domain sfrclak[.]com and IP 142.11.206[.]73 at the network perimeter. Monitor for anomalous child processes spawned by Node.js and for outbound connections initiated during npm install or update operations. Set ignore-scripts=true in .npmrc files to prevent postinstall hook execution. Configure min-release-age=7 in npm to require a delay before newly published packages are installed, reducing exposure to freshly published malicious packages. Mandate phishing-resistant multi-factor authentication for all developer npm and version control accounts. Implement endpoint detection and response (EDR) tooling and hunt for WAVESHAPER.V2 file artifacts. Palo Alto Networks published detection coverage via Advanced WildFire, Advanced Threat Prevention (signature 87121), and Cortex XDR/XSIAM.","heading":"Mitigation and Defensive Guidance","severity":"high","sources":[{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":2,"name":"Axios npm Supply Chain Attack Technical Analysis — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":2,"name":"What We Learned: Axios NPM Supply Chain Compromise Emergency Briefing — SANS Institute","type":"research","url":"https://www.sans.org/blog/what-we-learned-axios-npm-supply-chain-compromise-emergency-briefing"}]}],"sources_used":[{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":1,"name":"Mitigating the Axios npm supply chain compromise — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"},{"credibility":1,"name":"Dissecting Sapphire Sleet's macOS intrusion from lure to compromise — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/"},{"credibility":1,"name":"UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering — Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"},{"credibility":1,"name":"Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/"},{"credibility":2,"name":"Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html"},{"credibility":2,"name":"Axios npm Supply Chain Attack FAQ: North Korea UNC1069 — Tenable","type":"research","url":"https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069"},{"credibility":2,"name":"Axios npm Supply Chain Attack Technical Analysis — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":2,"name":"What We Learned: Axios NPM Supply Chain Compromise Emergency Briefing — SANS Institute","type":"research","url":"https://www.sans.org/blog/what-we-learned-axios-npm-supply-chain-compromise-emergency-briefing"},{"credibility":2,"name":"Axios npm Compromised: UNC1069 Deploys Cross-Platform RAT — CSA Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-axios-npm-supply-chain-unc1069-20260401-cs/"},{"credibility":2,"name":"Axios Poisoned: UNC1069's npm Supply Chain Playbook — CSA Labs","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-unc1069-axios-npm-supply-chain-20260403-cs/"},{"credibility":2,"name":"Axios npm Supply Chain Attack: Technical Analysis, IOCs, Detection and Mitigation — Loginsoft","type":"research","url":"https://www.loginsoft.com/post/axios-npm-supply-chain-attack-technical-analysis-iocs-detection-mitigation"},{"credibility":2,"name":"North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html"},{"credibility":2,"name":"North Korea-linked APT Sapphire Sleet targets IT job seekers — Security Affairs","type":"news_article","url":"https://securityaffairs.com/154082/apt/sapphire-sleet-apt-targets-it-job-seekers.html"},{"credibility":2,"name":"Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"}],"summary":"Sapphire Sleet (Microsoft designation) / UNC1069 (Google Mandiant designation) is a North Korean state-sponsored advanced persistent threat group assessed to operate under the Reconnaissance General Bureau, active since at least 2018. The group is financially motivated and primarily targets cryptocurrency exchanges, DeFi platforms, venture capital funds, wallet providers, and software developers. On March 31, 2026, the group executed a supply chain compromise of the axios npm package — which receives over 100 million weekly downloads — deploying the WAVESHAPER.V2 cross-platform remote access trojan to approximately 600,000 installations during a three-hour exposure window.","timeline":[{"date":"2018-04-01","event":"UNC1069 becomes active (earliest tracked date per Google Mandiant), focusing on cryptocurrency exchanges in the United States and Japan.","source":"Tenable FAQ on UNC1069 axios attack","source_url":"https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069"},{"date":"2020-06-01","event":"ClearSky publishes CryptoCore report tracking the group's estimated $200 million minimum theft from cryptocurrency exchanges since 2018.","source":"The Hacker News — Google Attributes Axios npm Supply Chain Attack to UNC1069","source_url":"https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html"},{"date":"2020-03-01","event":"Microsoft begins tracking the threat cluster as Sapphire Sleet, identifying it as a North Korean nation-state actor targeting the cryptocurrency sector.","source":"Microsoft Security Blog — Mitigating the Axios npm supply chain compromise","source_url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"},{"date":"2024-11-22","event":"Microsoft presents at CYBERWARCON noting Sapphire Sleet stole over $10 million in cryptocurrency from multiple companies over a six-month window, using fake VC and recruiter social engineering lures.","source":"Microsoft Security Blog — CYBERWARCON threat intelligence","source_url":"https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/"},{"date":"2025-10-01","event":"Concurrent DPRK-linked group (UNC4736 / Citrine Sleet) begins six-month social engineering operation against Drift Protocol Security Council members, posing as a quantitative trading firm at a major crypto conference.","source":"The Hacker News — Drift $285M DPRK nonce attack","source_url":"https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html"},{"date":"2026-02-01","event":"Google Threat Intelligence publishes report documenting UNC1069's deployment of AI-generated deepfakes, fake Zoom and Teams meetings, ClickFix infection vectors, and a seven-family malware arsenal including WAVESHAPER, HYPERCALL, and SILENCELIFT.","source":"The Hacker News — North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations","source_url":"https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html"},{"date":"2026-03-30","event":"Attacker publishes clean decoy package plain-crypto-js@4.2.0 to the npm registry at 05:57 UTC. Malicious plain-crypto-js@4.2.1 published at 23:59 UTC.","source":"Tenable FAQ on UNC1069 axios attack","source_url":"https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069"},{"date":"2026-03-31","event":"axios@1.14.1 published at 00:21 UTC and axios@0.30.4 at approximately 01:00 UTC with WAVESHAPER.V2 payload. Socket.dev detects the compromise at 00:05 UTC (approximately 6 minutes after plain-crypto-js@4.2.1 publication). Both malicious axios versions removed from npm registry at approximately 03:15 UTC. Approximately 600,000 installations occur during the roughly 3-hour exposure window.","source":"CISA Alert; SANS Emergency Briefing; Tenable FAQ","source_url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"date":"2026-04-01","event":"Microsoft publishes initial attribution blog post identifying Sapphire Sleet as the threat actor behind the axios compromise. Drift Protocol loses $285 million in a separate DPRK-linked durable nonce attack attributed to UNC4736/Citrine Sleet.","source":"Microsoft Security Blog; The Hacker News","source_url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"},{"date":"2026-04-02","event":"Google Mandiant confirms attribution of axios attack to UNC1069, publishing technical details and infrastructure overlaps linking the operation to prior UNC1069 WAVESHAPER deployments via AstrillVPN node.","source":"SANS Emergency Briefing","source_url":"https://www.sans.org/blog/what-we-learned-axios-npm-supply-chain-compromise-emergency-briefing"},{"date":"2026-04-16","event":"Microsoft publishes a follow-on technical post dissecting Sapphire Sleet's macOS intrusion chain, covering credential theft and elevation of privilege techniques.","source":"Microsoft Security Blog — Dissecting Sapphire Sleet's macOS intrusion","source_url":"https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/"},{"date":"2026-04-20","event":"CISA publishes formal alert on the axios npm supply chain compromise with technical IOCs, affected version list, safe downgrade targets, and mitigation guidance.","source":"CISA Alert","source_url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"}]},"v":1}