A suspected North Korean hacking group has compromised a widely used open-source software package, potentially exposing thousands of US companies in what security experts describe as a large-scale supply-chain attack.
The breach centred on a developer account tied to Axios, a tool used across industries to manage web applications. For roughly three hours on Tuesday morning, attackers gained control of the account and pushed malicious updates to any organisations downloading the software during that window.
Because Axios is embedded in systems used by sectors ranging from healthcare to finance — including companies tied to cryptocurrency — the scope of exposure is still unfolding. Early estimates suggest only a fraction of affected systems has been identified so far.
Mandiant, a cybersecurity firm owned by Google, attributed the operation to a North Korean-linked group. Experts say the goal is likely financial, with stolen cryptocurrency expected to fund Pyongyang’s weapons programmes.
“We anticipate they will try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,” Charles Carmakal, Mandiant’s chief technology officer, told CNN. “It will likely take months to assess the downstream impact of this campaign.
Initial findings from security firm Huntress identified about 135 compromised devices across roughly 12 organisations. But researchers stress that this represents only a small subset of potential victims, with the full scale expected to grow as more companies audit their systems.
The attack follows a pattern. North Korea has increasingly relied on cyber operations as a source of revenue, stealing billions of dollars from financial institutions and crypto platforms in recent years, according to UN and industry reports. A US official said in 2023 that roughly half of the country’s missile programme has been financed through such digital theft.
Last year alone, North Korean hackers carried out a $1.5bn cryptocurrency theft, then the largest on record.
The mechanics of the current breach also highlight a structural vulnerability. Supply-chain attacks exploit trust in widely used software dependencies, allowing attackers to distribute malicious code at scale through routine updates.
John Hammond, a researcher at Huntress, said the timing of the attack reflects a broader shift in how software is built and deployed.
“The whole software supply chain’s biggest weakness has an open door in today’s era where too many people don’t read what gets put in the ingredients anymore,” Hammond told CNN.
The latest news in your social feeds
Subscribe to our social media platforms to stay tuned