Supply Chain Attack on Axios NPM Package Tied to North Korean Hacker Group UNC1069

Introduction

Google Threat Intelligence Group (GTIG) has uncovered an active software supply chain attack targeting the widely used Node Package Manager (NPM) package axios. Between March 31, 2026, 00:21 and 03:20 UTC, a malicious dependency named plain-crypto-js was injected into axios versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library for simplifying HTTP requests, with versions 1.14.1 and 0.30.4 generating over 100 million and 83 million weekly downloads, respectively. The malicious package acts as an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems.

Supply Chain Attack on Axios NPM Package Tied to North Korean Hacker Group UNC1069 — Source: www.mandiant.com

GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. This conclusion is based on the use of WAVESHAPER.V2—an updated version of the WAVESHAPER backdoor previously used by UNC1069—and infrastructure overlaps with prior campaigns.

This article details the attack lifecycle, from account compromise to OS-specific payload deployment, and provides actionable guidance for defenders to detect and mitigate this threat.

Campaign Overview

On March 31, 2026, GTIG observed the introduction of plain-crypto-js version 4.2.1 as a dependency in the legitimate axios package version 1.14.1. Analysis indicates that the maintainer account for the axios package was compromised, with the associated email address changed to an attacker-controlled account (ifstap@proton.me).

The threat actor exploited the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. When the compromised axios package is installed, NPM automatically executes an obfuscated JavaScript dropper named setup.js in the background.

"scripts": {
  "test": "echo \"Error: no test specified\" && exit 1",
  "postinstall": "node setup.js"
}

Malware Analysis

The plain-crypto-js package serves as a payload delivery vehicle. Its core component, SILKBELL (setup.js; SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), dynamically checks the target operating system upon execution to deliver platform-specific payloads.

The script uses a custom XOR and Base64-based obfuscation routine to conceal the command-and-control (C2) URL and host-specific execution commands. To evade static analysis, it dynamically loads the Node.js modules fs, os, and execSync. After successfully dropping the secondary payload, setup.js attempts to delete itself and revert the modified package.json to hide forensic traces of the postinstall hook.

Windows Execution Path

On Windows, the dropper actively downloads and executes the WAVESHAPER.V2 backdoor, which is an updated variant of the previously documented WAVESHAPER. The backdoor establishes persistence and communicates with the attacker-controlled C2 server to exfiltrate data and receive further commands.

macOS Execution Path

For macOS systems, the dropper delivers a similarly obfuscated payload that targets the platform's specific environment. The backdoor installs itself in a stealthy manner, often leveraging launch agents or daemons for persistence.

Linux Execution Path

On Linux, the dropper deploys the same backdoor but uses Linux-specific techniques, such as cron jobs or systemd services, to maintain persistence. The payload is tailored to operate across major distributions.

Attribution

GTIG attributes this attack to UNC1069, a threat actor with strong ties to North Korea. UNC1069 has been active since at least 2018 and is known for financially motivated operations, including cryptocurrency theft and ransomware. The use of WAVESHAPER.V2—a clear evolution of the earlier WAVESHAPER backdoor used by UNC1069—along with infrastructure overlaps (e.g., shared IP addresses and domain registration patterns) solidifies this attribution.

Mitigation Guidance

Defenders should take the following steps to identify and mitigate this threat:

Check package versions: Verify if your project uses axios versions 1.14.1 or 0.30.4. If so, downgrade or update to a known clean version (e.g., 1.14.0 or 1.15.0) immediately.
Audit dependencies: Review your package-lock.json for the presence of plain-crypto-js. Remove it and any other suspicious dependencies.
Monitor for postinstall hooks: Use tools like npm audit or custom scripts to detect unexpected postinstall scripts in your dependencies.
Check system logs: Look for unusual network connections to IP addresses associated with UNC1069 or the C2 server extracted from the dropper.
Rotate credentials: If you suspect compromise, change all API keys, tokens, and passwords stored on affected systems.

Indicators of Compromise (IOCs)

The following indicators can help detect this attack:

Package: plain-crypto-js version 4.2.1 (SHA256 of package: refer to original advisory)
Dropper file: setup.js with SHA256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
C2 URL: Obfuscated in the dropper; GTIG has identified the underlying IP/domain (contact GTIG for details)
Attacker email: ifstap@proton.me
Backdoor: WAVESHAPER.V2 (various hashes)

Conclusion

This supply chain attack demonstrates the ongoing threat posed by state-linked groups targeting widely used open-source packages. By compromising an NPM maintainer account, UNC1069 was able to inject a malicious dependency into the highly popular axios library, potentially affecting millions of users. The use of an obfuscated dropper and OS-specific payloads underscores the sophistication of the attack. Defenders must remain vigilant, regularly audit dependencies, and stay informed about emerging threats.

Tags: