Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

North Korea-linked hack hits largely invisible software that powers online services

April 01, 2026 5 min read Science & Technology Internal Security GS Paper 3
On This Page

What Happened

  • Hackers linked to North Korea breached Axios, a widely used open-source JavaScript library that facilitates communication between apps and web services, by injecting malicious code into a software update released on March 31, 2026.
  • Google attributed the attack to a group it tracks as UNC1069, which has operated since at least 2018 and specialises in targeting cryptocurrency and financial industries; the group is part of North Korea's broader Lazarus Group ecosystem.
  • The malicious software — which has since been removed — was capable of stealing login credentials and access tokens from infected systems running macOS, Windows, and Linux, enabling downstream data theft and further cyber operations.
  • Cybersecurity researchers described it as a supply chain attack: by compromising Axios rather than targeting end users directly, the attackers created a delivery mechanism with potential reach into millions of computing environments worldwide.
  • North Korea uses stolen cryptocurrency to fund its nuclear weapons and ballistic missile programs and to evade international sanctions; in 2025 alone, North Korean state-sponsored hackers stole over $2 billion in digital assets.

Static Topic Bridges

Software Supply Chain Attacks: What They Are and Why They Are Dangerous

A software supply chain attack occurs when a malicious actor compromises a trusted software package, library, build system, or update mechanism — rather than targeting the end user directly. Because downstream users and organisations automatically trust and deploy updates from software they already use, the attack propagates invisibly at scale. Unlike phishing or direct intrusion, a supply chain attack requires no action from the victim; the compromised software "does it for you," as one researcher described.

  • Notable precedents include the SolarWinds attack (2020), in which state-sponsored actors (attributed to Russia) injected malware into a network monitoring software update used by 18,000 organisations, including U.S. federal agencies
  • The XZ Utils backdoor (2024) was an attempted supply chain attack on a Linux compression library that nearly compromised SSH servers globally
  • Open-source software is particularly vulnerable because code changes can be made by any contributor; maintainer accounts are high-value targets for credential theft
  • The Axios library is used in millions of JavaScript applications; a single compromised update can affect web services, banking apps, government portals, and mobile applications simultaneously

Connection to this news: The Axios compromise follows the same template as previous North Korean supply chain operations — targeting widely-used developer infrastructure rather than individual organisations — because the multiplier effect of such attacks vastly exceeds the effort of direct intrusion.

North Korea's Lazarus Group: Cyber Warfare as Economic Strategy

The Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor believed to operate under the Reconnaissance General Bureau (RGB), North Korea's primary intelligence agency. Unlike most cyber-espionage groups that focus primarily on intelligence collection, Lazarus Group has a distinctive dual mandate: geopolitical disruption and revenue generation through cybercrime — particularly cryptocurrency theft to fund sanctioned weapons programs.

  • Lazarus Group has been active since approximately 2007; its major known attacks include the Sony Pictures hack (2014), the $81 million Bangladesh Bank heist (2016), WannaCry ransomware (2017), and repeated cryptocurrency exchange thefts
  • In February 2025, the group executed the Bybit hack — stealing $1.5 billion in cryptocurrency, the single largest crypto theft in history, by exploiting a third-party wallet management tool (Safe{Wallet}) in a supply chain-style attack
  • North Korean crypto theft reached $2.02 billion in 2025, a 51% increase from 2024
  • The group is prolific in developer-targeting campaigns: "Operation Dream Job" and "Marstech Mayhem" lure software developers with fake job offers, then compromise their systems and by extension the software they maintain

Connection to this news: Google's attribution of the Axios attack to UNC1069 (part of the Lazarus ecosystem) confirms North Korea's sustained strategic investment in supply chain vectors as a high-yield method of credential harvesting and crypto theft.

India's Cybersecurity Framework: CERT-In, NCIIPC and the IT Act

India's cybersecurity architecture is built on two pillars established under amendments to the Information Technology (IT) Act, 2000. CERT-In (Indian Computer Emergency Response Team), established under Section 70B of the IT Act, is the national nodal agency for incident response, threat intelligence, and coordination across sectors for non-critical infrastructure. NCIIPC (National Critical Information Infrastructure Protection Centre), established under Section 70A of the IT Act, protects critical information infrastructure (CII) — systems whose disruption would have a debilitating impact on national security, governance, economy, or public welfare.

  • CERT-In, under the Ministry of Electronics and Information Technology (MeitY), issued mandatory Cyber Security Directions in April 2022 requiring organisations to report incidents within 6 hours — one of the strictest mandatory reporting timelines globally
  • NCIIPC, under the National Technical Research Organisation (NTRO), identifies and protects CII across sectors including power, banking, telecom, transport, and government systems
  • India's Personal Data Protection framework (Digital Personal Data Protection Act, 2023) adds a layer of obligations for data fiduciaries in case of data breaches
  • The National Cyber Security Policy (2013) remains the overarching strategic document; a revised version has been under development
  • India is a participant in international cyber cooperation through frameworks like the Budapest Convention (observer) and bilateral cyber dialogues

Connection to this news: A global supply chain attack on widely-used open-source software like Axios directly threatens Indian software companies, fintech platforms, and government digital infrastructure (many of which use the same JavaScript ecosystem), underlining the necessity of CERT-In's sector-wide alert mechanisms and NCIIPC's monitoring of CII supply chains.

Key Facts & Data

  • Malware injected into: Axios open-source JavaScript library (HTTP client, used in millions of applications)
  • Attack type: Software supply chain attack — malicious code inserted into a legitimate software update
  • Attributed group: UNC1069 (Google's tracking designation), part of the Lazarus Group / North Korea's RGB
  • Malware capability: credential and access token theft; affected macOS, Windows, and Linux systems
  • North Korean crypto theft in 2025: over $2 billion (51% increase from 2024); Bybit hack alone = $1.5 billion
  • Lazarus Group operational since: at least 2007; active in supply chain attacks since 2018
  • CERT-In: established under Section 70B, IT Act 2000; mandatory incident reporting within 6 hours (April 2022 directions)
  • NCIIPC: established under Section 70A, IT Act 2000; protects Critical Information Infrastructure