Key Findings

• Google Threat Intelligence Group attributed the Axios npm supply chain attack to UNC1069, a financially motivated North Korean threat group active since at least 2018

• Attackers compromised maintainer Jason Saayman's npm account and published two malicious Axios versions (1.14.1 and 0.30.4) within an hour

• The attack injected a malicious dependency called "plain-crypto-js" that deployed a cross-platform remote access trojan targeting Windows, macOS, and Linux

• Given Axios' 400 million monthly downloads and 100 million weekly downloads, the potential impact is significant across downstream projects

• Attribution was confirmed through infrastructure overlaps, use of WAVESHAPER.V2 malware, VPN connections, and malware code references linking to known North Korean operations

Background

Axios is a widely used HTTP client library for JavaScript with massive adoption across the developer community. The package's popularity made it an attractive target for supply chain attacks. The compromise occurred when threat actors gained unauthorized access to a maintainer's npm account, allowing them to publish malicious updates without proper verification or matching GitHub commits.

The Attack Mechanism

The attackers published malicious versions without OIDC verification, an immediate red flag that raised suspicion among security researchers. The "plain-crypto-js" dependency used a postinstall hook in the package.json file to execute malicious code automatically during installation, a technique that bypassed traditional security checks.

The malware, codenamed SILKBELL, functioned as an obfuscated JavaScript dropper designed to fetch operating system-specific payloads from remote servers. Windows systems received PowerShell malware, macOS received a C++ binary, and Linux systems got a Python backdoor. The malware deliberately removed its own traces after execution, deleting installation files and restoring clean package content to avoid detection.

Attribution to UNC1069

Google's analysis identified multiple technical indicators connecting the attack to UNC1069. The malware used WAVESHAPER.V2, an updated version of WAVESHAPER previously deployed by the group. The command-and-control infrastructure at sfrclak[.]com resolving to 142.11.206.73 showed connections from an AstrillVPN node previously used by UNC1069, and adjacent infrastructure on the same ASN had historical links to their operations.

Developer build paths in the macOS binary referenced "Jain_DEV/client_mac/macWebT," where "macWebT" directly links to BlueNoroff's "webT" module from RustBucket and Hidden Risk malware campaigns in 2023. This connection provided additional evidence of North Korean involvement.

WAVESHAPER.V2 Capabilities

The backdoor beacons to its command-and-control server every 60 seconds using Base64-encoded JSON and a hardcoded User-Agent string. It supports four primary commands: kill to terminate execution, rundir to enumerate directories and file metadata, runscript to execute AppleScript, PowerShell, or shell commands depending on the operating system, and peinject to decode and execute arbitrary binaries.

On Windows systems, the malware achieves persistence through a hidden batch file and registry entry, functioning as a full remote access trojan with command execution and file system access capabilities. The updated WAVESHAPER.V2 represents a significant evolution from the original strain, now using JSON-based communication, collecting additional system information, and supporting more backdoor commands while maintaining identical polling behaviors and an uncommon User-Agent string.

Scope and Impact

Researchers at Elastic Security captured and reverse-engineered the macOS second-stage binary before the command-and-control server went offline, confirming it was a fully functional remote access trojan written in C++. The malicious versions remained available for a brief window before detection and removal, but given Axios' massive download numbers, many downstream projects likely installed the trojanized versions during that period.

Security firm Socket detected the malicious "plain-crypto-js" package within minutes, suggesting coordinated monitoring of the npm registry. However, many developers rely on automatic updates, meaning affected versions could have been installed silently without manual intervention.

Mitigation and Recommendations

Organizations should immediately audit their dependency trees for the compromised Axios versions 1.14.1 and 0.30.4 and downgrade to safe versions if found. Developers should pin Axios to a known safe version in their package-lock.json files to prevent accidental upgrades and check for the presence of "plain-crypto-js" in their node_modules directories.

Affected systems require immediate action including termination of malicious processes, blocking of the C2 domain sfrclak[.]com and IP address 142.11.206.73, system isolation, and rotation of all credentials. Because the attack demonstrates sophisticated operational planning with pre-staged payloads for multiple operating systems and built-in forensic self-destruction, security experts warn this should be treated as a template for future attacks. Organizations need comprehensive audits across all package managers feeding their build pipelines, not just npm.

Sources

• https://securityaffairs.com/190256/security/google-links-axios-npm-supply-chain-attack-to-north-korea-linked-apt-unc1069.html

• https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html

• https://www.facebook.com/Techmeme/posts/google-attributes-the-supply-chain-attack-on-http-client-axios-to-a-suspected-no/1381627313999579/