Axios npm Supply Chain Attack - North Korean Threat Actor Strikes
Basically, a hacker tricked developers into downloading malicious software through a popular coding tool.
A North Korean threat actor compromised the axios npm package, delivering a RAT to millions of developers. This incident highlights significant security risks in software supply chains. Immediate actions are recommended to mitigate potential impacts.
The Threat
On March 31, 2026, a significant supply chain attack targeted the axios npm package, a widely used tool with over 100 million weekly downloads. The attack was attributed to UNC1069, a North Korea-nexus threat actor known for financially motivated cyber activities. This breach allowed malicious versions of axios to deliver a cross-platform remote access trojan (RAT) to potentially millions of developer environments within a mere three-hour window.
The malicious versions, 1.14.1 and 0.30.4, were published after the attacker compromised the maintainer's account. By injecting a malicious dependency called plain-crypto-js, the attacker effectively turned a trusted package into a delivery vehicle for malware. The rapid detection of this compromise highlights both the threat's urgency and the need for robust security measures in software development.
Who's Behind It
The Google Threat Intelligence Group (GTIG) has linked this attack to UNC1069, which has been active since at least 2018. This group has a history of targeting open-source ecosystems, leveraging their popularity to spread malware. The attack's sophistication is evident in the method used to publish the malicious packages, bypassing standard security protocols that typically safeguard against unauthorized releases.
GTIG's analysis indicates that the attacker utilized a long-lived npm access token to publish the malicious versions, which lacked the usual trusted publisher signatures. This oversight allowed the attacker to exploit the system, raising alarms about the security of npm packages and the potential for similar attacks in the future.
Tactics & Techniques
The malicious axios versions executed a postinstall hook that activated an obfuscated JavaScript file, leading to the deployment of the WAVESHAPER.V2 backdoor. This backdoor is capable of running on macOS, Windows, and Linux, showcasing the attack's cross-platform capabilities. Each variant of the malware is designed to blend in with legitimate system processes, making detection challenging.
For instance, on Windows, the malware masquerades as a legitimate application, while on macOS, it installs itself in a way that mimics system cache files. This tactic not only ensures persistence but also complicates forensic analysis post-infection, as the malware cleans up after itself to avoid detection.
Defensive Measures
In light of this attack, developers and organizations using axios are urged to take immediate action. The malicious versions have been removed from the npm registry, but those who installed them should treat their systems as fully compromised. Recommended steps include:
- Rotate all credentials and secrets associated with affected systems.
- Rebuild from clean snapshots to ensure no remnants of the malware remain.
- Audit CI/CD pipelines to prevent future compromises.
- Block known command-and-control (C2) traffic associated with the attack.
Additionally, implementing version cooldown policies in package managers can help mitigate the risks of future supply chain attacks. This incident serves as a stark reminder of the vulnerabilities present in widely used software packages and the importance of vigilance in cybersecurity practices.