8 Critical Insights Into the Axios NPM Supply Chain Attack by a North Korea-Linked Actor

By ● min read

<p>In late March 2026, the cybersecurity world witnessed a sophisticated supply chain attack that targeted millions of developers and organizations relying on the popular <strong>Axios</strong> JavaScript library. Malicious code was injected into two official Axios releases on the Node Package Manager (NPM) registry, compromising systems across Windows, macOS, and Linux. The Google Threat Intelligence Group (GTIG) identified the threat actor as <strong>UNC1069</strong>, a financially motivated group with ties to North Korea, and traced the attack back to a compromised maintainer account. This article breaks down the eight most critical things you need to know about this incident, from the initial breach to the deployment of advanced backdoors, along with actionable guidance for defenders.</p> <h2 id="section1">1. The Attack at a Glance: Breaching the Most Popular HTTP Library</h2> <p>On March 31, 2026, between 00:21 and 03:20 UTC, an attacker managed to slip a malicious dependency called <strong>plain-crypto-js</strong> into Axios versions 1.14.1 and 0.30.4. Axios is the <em>most widely used</em> JavaScript library for handling HTTP requests, with over <strong>100 million</strong> weekly downloads for version 1.x and 83 million for version 0.x. This gave the attacker a massive distribution channel. The malicious package contained an obfuscated dropper that, upon installation, silently deployed the <strong>WAVESHAPER.V2</strong> backdoor—a cross-platform threat designed to steal data and maintain persistent access. GTIG linked this activity to UNC1069, a North Korea-nexus group active since at least 2018, known for financially driven cyber operations.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png" alt="8 Critical Insights Into the Axios NPM Supply Chain Attack by a North Korea-Linked Actor" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <h2 id="section2">2. How the Compromise Unfolded: Account Takeover and Email Change</h2> <p>The attack vector was not a zero-day or vulnerability in Axios itself, but rather a <strong>compromised maintainer account</strong>. GTIG’s analysis revealed that the email address associated with the Axios package maintainer was changed to an attacker-controlled address: <a href="mailto:ifstap@proton.me">ifstap@proton.me</a>. This allowed the threat actor to publish malicious updates under the guise of a legitimate maintainer. The attacker then introduced <em>plain-crypto-js</em> as a direct dependency in Axios, meaning anyone installing the compromised Axios versions would automatically pull the malicious package. This classic supply chain attack method highlights the fragility of trust in open-source ecosystems.</p> <h2 id="section3">3. The Malicious Package: plain-crypto-js and Its Stealthy Dropper</h2> <p>The <strong>plain-crypto-js</strong> package (version 4.2.1) acted as a delivery vehicle for a multi-stage payload. The core component, named <strong>SILKBELL</strong>, was a JavaScript dropper (<code>setup.js</code>, SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09) that executed automatically via the <code>postinstall</code> hook defined in its <code>package.json</code>. This hook triggered <code>node setup.js</code> immediately after the package was installed, running the malicious code without any visible user interaction. The dropper used advanced obfuscation—custom XOR combined with Base64 encoding—to hide its command-and-control (C2) URLs and OS-specific commands. It dynamically loaded Node.js modules like <code>fs</code>, <code>os</code>, and <code>execSync</code> to evade static detection tools.</p> <h2 id="section4">4. Cross-Platform Payload Delivery: Windows, macOS, and Linux</h2> <p>One of the most alarming aspects of this attack is its <strong>cross-platform compatibility</strong>. During execution, <code>setup.js</code> first identified the target operating system using Node’s <code>os.platform()</code>. It then downloaded and executed distinct payloads for each platform:</p> <ul> <li><strong>Windows:</strong> A compiled version of WAVESHAPER.V2, often disguised as a legitimate system file, was downloaded and executed silently using <code>cmd.exe</code>.</li> <li><strong>macOS:</strong> A Mach-O binary of the same backdoor was deployed via <code>/bin/bash</code>.</li> <li><strong>Linux:</strong> An ELF binary was downloaded and run with <code>/bin/sh</code>, granting the attacker control over Linux servers—common in cloud and DevOps environments.</li> </ul> <p>This broad coverage significantly increases the attack surface, allowing UNC1069 to infiltrate diverse environments.</p> <h2 id="section5">5. The Backdoor: WAVESHAPER.V2 – An Updated and Persistent Threat</h2> <p>The final payload delivered by the dropper was <strong>WAVESHAPER.V2</strong>, an evolved version of the WAVESHAPER backdoor previously attributed to UNC1069. This version retains the core capabilities of its predecessor—keylogging, screen capture, file exfiltration, and command execution—while improving its stealth and persistence mechanisms. Notably, WAVESHAPER.V2 communicates with a C2 server using encrypted channels and can update its configuration on the fly. GTIG confirmed the connection to UNC1069 based on <strong>infrastructure overlaps</strong> between this campaign and past attacks linked to the group, including shared IP addresses and domain registration patterns. The backdoor is part of a broader toolkit used for financial espionage and theft.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" alt="8 Critical Insights Into the Axios NPM Supply Chain Attack by a North Korea-Linked Actor" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <h2 id="section6">6. Evasion and Self-Destruction: Hiding Traces from Investigators</h2> <p>To avoid detection, the dropper employed several <strong>anti-forensic techniques</strong>. After deploying the secondary payload, <code>setup.js</code> attempted to delete itself from the file system. It also reversed the modification to the Axios <code>package.json</code>, removing the <code>postinstall</code> hook that originally triggered the malicious script. This clever cleanup aimed to make the supply chain attack invisible to a casual review. Furthermore, the obfuscated JavaScript strings made it difficult for static analysis tools to flag suspicious behavior without dynamic execution. Such techniques are a hallmark of advanced threat actors who understand the forensic processes used by incident responders.</p> <h2 id="section7">7. Attribution and Historical Context: UNC1069’s Financial Motives</h2> <p>GTIG attributes this campaign to <strong>UNC1069</strong>, a threat group that has been active since at least 2018 and is assessed to be financially motivated, aligning with North Korean state-sponsored objectives. Past UNC1069 operations include cryptocurrency theft, ransomware deployment, and targeting of financial institutions. The use of WAVESHAPER.V2 is a key indicator—similar to a version used in a 2024 campaign against a South Korean crypto exchange. Infrastructure overlaps, such as the use of <strong>Proton.me</strong> email accounts and specific hosting providers, further support this attribution. Understanding the actor’s history helps defenders prioritize detections and share threat intelligence across sectors.</p> <h2 id="section8">8. Recommendations for Defenders: Mitigation and Detection Steps</h2> <p>Organizations that use Axios in their Node.js projects should take immediate action. First, <strong>remove or update</strong> any Axios versions 1.14.1 or 0.30.4 and replace them with patched versions (1.15.0 or 0.31.0, if available). Second, <strong>review package-lock.json</strong> files for any instance of <em>plain-crypto-js</em> and scan systems for indicators of compromise (IOCs) provided by GTIG, such as C2 domains and file hashes. Third, implement <strong>supply chain security tools</strong> that automatically vet dependencies for known malicious packages. Finally, enable <strong>behavioral monitoring</strong> for unexpected script executions, especially from <code>postinstall</code> hooks. Regular audits of maintainer permissions and enabling two-factor authentication on NPM accounts can also reduce the risk of similar takeovers.</p> <p>This incident underscores the critical need for continuous vigilance in open-source ecosystems. As attackers refine their techniques, the community must respond with stronger security practices, faster incident response, and greater transparency. By understanding the methods of groups like UNC1069, defenders can better protect their software supply chains from exploitation.</p>

Tags: