North Korea-Nexus Threat Actor Compromises Axios NPM Package
Basically, a hacker added a harmful code to a popular software tool used by many developers.
A North Korea-linked threat actor has compromised the axios NPM package. This attack affects millions of users and highlights serious supply chain vulnerabilities. Immediate action is required to secure affected systems.
What Happened
On March 31, 2026, a significant software supply chain attack was detected by the Google Threat Intelligence Group (GTIG). The popular Node Package Manager (NPM) package, axios, was compromised when a malicious dependency named plain-crypto-js was introduced into its releases. This attack occurred between 00:21 and 03:20 UTC, targeting axios versions 1.14.1 and 0.30.4, which are widely used for simplifying HTTP requests in JavaScript applications.
The attacker, linked to the financially motivated North Korean threat actor UNC1069, managed to gain access to the maintainer account of axios. They changed the associated email to one under their control, allowing them to manipulate the package's code. The malicious dependency acts as a dropper, deploying the WAVESHAPER.V2 backdoor across various operating systems, including Windows, macOS, and Linux.
Who's Behind It
GTIG attributes this attack to UNC1069, a group that has been active since at least 2018. The use of the WAVESHAPER.V2 backdoor is a clear indicator of their involvement. This backdoor has evolved from an earlier version, WAVESHAPER, which was previously utilized by the same threat actor. The infrastructure used in this attack shows overlaps with past UNC1069 activities, reinforcing the attribution.
The malicious dependency was introduced through a postinstall hook in the package.json file, which allowed it to execute silently upon installation. This method of attack exploits the trust developers place in popular libraries, making it particularly dangerous.
Tactics & Techniques
The attack employed several sophisticated techniques to avoid detection and ensure successful payload delivery. The plain-crypto-js package dynamically checks the operating system of the target machine and uses obfuscation methods to conceal its activities. For instance, on Windows, it downloads a PowerShell script disguised as a legitimate executable, while on macOS, it utilizes bash commands to execute malicious binaries.
The backdoor, WAVESHAPER.V2, is capable of collecting system information and executing commands remotely. It communicates with its command-and-control (C2) server, polling for instructions every 60 seconds. This continuous connection allows the attacker to maintain control over compromised systems, posing a significant risk to users and organizations that rely on axios.
Defensive Measures
In light of this attack, GTIG urges immediate action for all developers and organizations using the axios package. Key recommendations include:
- Audit Dependency Trees: Quickly check for compromised versions of axios and isolate affected systems.
- Version Control: Avoid upgrading to axios versions 1.14.1 or 0.30.4. Instead, use known-good versions.
- Dependency Pinning: Ensure that axios is pinned to a safe version in your project's package-lock.json to prevent accidental upgrades.
- Incident Response: If the malicious package is detected, assume the environment is compromised and revert to a known-good state.
By taking these steps, organizations can mitigate the risks associated with this supply chain attack and protect their systems from further exploitation.