North Korea-Linked Hackers Poison Axios NPM Package in Supply Chain Attack: Key Questions Answered

In late March 2026, a sophisticated supply chain attack targeted the widely used Axios JavaScript library on NPM. Attackers compromised the package maintainer account and inserted a malicious dependency that delivered a backdoor to Windows, macOS, and Linux systems. This Q&A breaks down the incident, the threat actor behind it, and how defenders can respond.

1. What happened in the Axios supply chain attack?

Between March 31, 2026, at 00:21 and 03:20 UTC, an unknown attacker introduced a malicious dependency named plain-crypto-js into two Axios NPM releases: versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library for simplifying HTTP requests, with over 100 million and 83 million weekly downloads for these versions. The malicious dependency acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Google Threat Intelligence Group (GTIG) tracked the attack and attributed it to a North Korea-nexus threat actor, UNC1069, based on malware similarities and infrastructure overlaps.

North Korea-Linked Hackers Poison Axios NPM Package in Supply Chain Attack: Key Questions Answered — Source: www.mandiant.com

2. Who is the threat actor UNC1069 and how were they linked to this attack?

UNC1069 is a financially motivated threat actor with ties to North Korea, active since at least 2018. GTIG attributed the Axios attack to UNC1069 because the deployed backdoor, WAVESHAPER.V2, is an updated version of WAVESHAPER previously used by this group. Additionally, infrastructure artifacts from this attack—such as C2 URLs and hosting patterns—matched those used in past UNC1069 campaigns. The group is known for targeting developers and software supply chains to gain access to downstream users, often for financial gain. This attribution gives defenders critical context for hunting related activity and prioritizing defenses.

3. How did the attackers compromise the Axios package and insert malware?

The attack began with a compromise of the maintainer account for the Axios NPM package. GTIG observed that the account's associated email was changed to an attacker-controlled address (ifstap@proton.me). The threat actor then published versions 1.14.1 and 0.30.4 of Axios with plain-crypto-js listed as a dependency. Inside that malicious package, they modified the package.json file to include a postinstall hook: "postinstall": "node setup.js". When users installed the compromised Axios package via NPM, the setup.js script executed automatically without any user interaction—a classic supply chain injection technique designed for silent, widespread distribution.

4. What does the malicious 'plain-crypto-js' package do?

The plain-crypto-js package is a payload delivery vehicle, not a simple library. Its core component, named SILKBELL (setup.js), is an obfuscated JavaScript dropper (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09). Upon execution, it dynamically checks the target operating system using os.platform(). To evade static analysis, the script loads required Node.js modules (fs, os, execSync) at runtime and uses XOR and Base64 encoding to hide the C2 server address and shell commands. After dropping the appropriate secondary payload, setup.js attempts to delete itself and revert package.json to remove the postinstall hook, covering its forensic tracks. This modular, cross-platform design allows the threat actor to compromise a wide range of systems with a single malicious package.

5. How does the dropper target different operating systems?

The SILKBELL dropper identifies the host OS and executes platform-specific routines:

Windows: The script uses commands like powershell.exe or cmd.exe to download and execute the WAVESHAPER.V2 backdoor, often utilizing scheduled tasks or registry modifications for persistence.
macOS: It employs shell scripts that leverage curl or python3 to retrieve the payload and add it as a launch agent.
Linux: Similar to macOS, it uses bash commands to fetch the backdoor and install it via cron jobs or systemd services.

Each path delivers the same final payload—WAVESHAPER.V2—but tailored to the target environment. This multi-OS coverage significantly increases the attack's potential reach, especially given Axios's widespread use across development machines and CI/CD pipelines.

6. What actions should organizations take to detect and mitigate this threat?

Defenders should verify they are not running the compromised Axios versions (1.14.1 or 0.30.4) and check node_modules for the presence of plain-crypto-js. GTIG provides the following recommendations:

Audit dependencies: Review package-lock.json or yarn.lock for any reference to plain-crypto-js.
Monitor for postinstall hooks: Unexpected postinstall scripts in dependencies are a red flag; consider using npm audit or manual review.
Check for WAVESHAPER.V2 indicators: Look for network connections to known C2 infrastructure and unusual child processes from Node.js.
Implement supply chain security: Use software composition analysis (SCA) tools, enforce package signing, and limit automatic updates for critical packages.

If compromise is suspected, isolate affected systems, revoke credentials, and conduct a full forensic investigation. For detailed IOCs and YARA rules, refer to the original GTIG report.

Tags: