North Korean Hackers Breach Axios Package, Target Windows, macOS, and Linux Systems
A North Korea–nexus threat actor hijacked the popular Axios NPM package in a high‑impact software supply chain attack, deploying a backdoor capable of compromising Windows, macOS, and Linux systems silently.
Between March 31, 2026, 00:21 and 03:20 UTC, attackers breached a maintainer account to push backdoored Axios releases 1.14.1 and 0.30.4 to NPM. They altered the maintainer’s email to a ProtonMail address and added a new dependency, plain-crypto-js version 4.2.1.
Axios, a widely used JavaScript HTTP client with tens of millions of weekly downloads, was compromised, significantly amplifying the attack’s impact.
Google Threat Intelligence Group (GTIG) identifies the campaign as UNC1069, a financially driven threat group active since at least 2018.
The malicious plain-crypto-js package isn’t used in Axios’s source code; its sole function is to execute a postinstall script (setup.js) as soon as `npm install` runs.
This malware activates before any developer code, including within CI/CD pipelines and production build jobs.
Malicious Dependency and Dropper
The core dropper, SILKBELL (setup.js), employs custom XOR and Base64 obfuscation to conceal its command‑and‑control (C2) URL and OS‑specific commands.
At runtime, it loads modules like fs, os, and execSync dynamically to bypass static analysis.
It fingerprints the host OS, downloads a matching secondary payload, then deletes itself and restores Axios’s original package.json from a backup (package.md) to erase forensic traces of the postinstall hook.
Windows: The malware locates powershell.exe, copies it to %PROGRAMDATA%\wt.exe, uses curl with a crafted POST body (packages.npm.org/product1) to download a PowerShell payload to %TEMP%, then launches it with hidden window and execution policy bypass flags.
macOS: The dropper uses curl and bash to pull a Mach-O binary into /Library/Caches/com.apple.act.mond via POST data (packages.npm.org/product0), chmods it, and runs it as a background zsh process.
Linux: It downloads a Python backdoor to /tmp/ld.py using POST data (packages.npm.org/product2), then executes it.
Both branches deploy WAVESHAPER.V2, a cross‑platform remote access trojan (RAT) combining C++ with supplemental PowerShell and Python variants.
The implant beacons every 60 seconds to its C2 server at port 8000, sending Base64-encoded JSON with system details using a hard-coded User‑Agent mimicking an outdated Internet Explorer client.
Supported commands include:
- kill – terminates the malware process.
- rundir – recursively enumerates directories and returns file metadata.
- runscript – decodes and executes AppleScript payloads.
- peinject – drops and executes arbitrary binaries with optional parameters.
Windows persistence involves creating a hidden batch file in %PROGRAMDATA%\system.bat and adding a MicrosoftUpdate registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
The RAT supports extensive reconnaissance, in-memory PE injection, and deep file system enumeration, facilitating data theft and follow-on intrusion operations.
Attribution to UNC1069 and Broader Risk
GTIG attributes the attack to UNC1069 based on WAVESHAPER.V2 usage, infrastructure overlaps (e.g., domains like sfrclak[.]com resolving to 142.11.206.73), and C2 patterns.
WAVESHAPER.V2 represents an evolution of earlier WAVESHAPER backdoors previously linked to UNC1069, now utilizing JSON‑based C2 traffic, expanded telemetry, and richer commands while maintaining polling behavior and the unusual User‑Agent.
This incident occurs amid a wave of supply chain attacks, including recent UNC6780 activity abusing PyPI and GitHub Actions for the SANDCLOCK credential stealer.
Defenders should immediately audit environments for installations of [email protected] and [email protected] from March 31 exposure and replace them with known‑good versions.
Compromised builds risk downstream SaaS compromises, ransomware, extortion, and cryptocurrency theft via exfiltrated secrets and tokens.
Logs should be reviewed for connections to sfrclak[.]com:8000 and the distinctive User‑Agent to identify beaconing hosts.
Security teams should rotate secrets and tokens in affected CI/CD pipelines, enforce phishing-resistant MFA for maintainers, and implement supply chain defenses monitoring for unexpected dependencies and postinstall scripts.
Indicators of Compromise (IOCs)
| Indicator | Type | Notes |
142.11.206.73 |
C2 | WAVESHAPER.V2. |
sfrclak[.]com |
C2 | WAVESHAPER.V2. |
http://sfrclak[.]com:8000 |
C2 | WAVESHAPER.V2. |
http://sfrclak[.]com:8000/6202033 |
C2 | WAVESHAPER.V2. |
23.254.167.216 |
C2 | Suspected UNC1069 Infrastructure. |