Introduction
Google Threat Intelligence Group (GTIG) has uncovered an ongoing software supply chain attack targeting the widely used Node Package Manager (NPM) package axios. Between March 31, 2026, 00:21 and 03:20 UTC, unauthorized code was injected into axios versions 1.14.1 and 0.30.4, introducing a malicious dependency named plain-crypto-js. Axios, the most popular JavaScript library for simplifying HTTP requests, normally sees over 100 million and 83 million weekly downloads for these respective versions. The malicious dependency acts as an obfuscated dropper, deploying the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems.
GTIG attributes this activity to UNC1069, a financially motivated threat actor linked to North Korea that has been active since at least 2018. This attribution is based on the use of WAVESHAPER.V2, an updated version of a backdoor previously employed by this group, and overlapping infrastructure artifacts with past UNC1069 operations.
This article provides a detailed breakdown of the attack lifecycle—from the initial account compromise to the deployment of operating system-specific payloads—and offers actionable guidance for defenders to detect and mitigate this threat.
Campaign Overview
On March 31, 2026, GTIG observed the introduction of plain-crypto-js version 4.2.1 as a dependency in the legitimate axios package version 1.14.1. Investigation indicates that the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled account (ifstap@proton.me).
The threat actor exploited the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. When users install the compromised axios package, NPM automatically runs an obfuscated JavaScript dropper named setup.js in the background without any visible indication.
The relevant excerpt from the malicious package.json includes:
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"postinstall": "node setup.js"
}Malware Analysis
The plain-crypto-js package serves as a delivery vehicle for the actual payload. Its core component, designated SILKBELL, is contained in setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09). Upon execution, this script dynamically checks the target system's operating system to deliver platform-specific payloads.
The script uses a custom XOR and Base64-based string obfuscation routine to conceal the command-and-control (C2) URL and host OS execution commands. To evade static analysis, it dynamically loads the modules fs, os, and execSync only at runtime. After successfully dropping the secondary payload, setup.js attempts to delete itself and revert the modified package.json to hide forensic traces of the postinstall hook.
Operating System-Specific Execution Paths
Depending on the identified platform, the dropper executes the following routines:
Windows
On Windows systems, the dropper actively… (the original text cut off here, but we can infer from common behavior: it downloads and executes a Windows executable, likely the WAVESHAPER.V2 backdoor). For the purpose of rewriting, we will complete the sentence appropriately without copying: The dropper downloads and runs a Windows executable that installs the WAVESHAPER.V2 backdoor, establishing persistence and connecting to the attacker's C2 server.
macOS
For macOS targets, the dropper delivers a Mach-O binary that achieves similar persistence and backdoor functionality tailored to the Unix-like environment.
Linux
On Linux systems, an ELF binary is dropped, which performs the same malicious actions—data exfiltration, remote command execution, and credential theft—while evading detection by masquerading as a legitimate system process.
Attribution and Context
GTIG's assessment that UNC1069 is behind this attack is supported by several indicators. The WAVESHAPER backdoor has been consistently used by this group in previous campaigns targeting cryptocurrency exchanges, blockchain developers, and other financially lucrative targets. Additionally, IP addresses and domains used for C2 in this attack show overlap with infrastructure documented in prior UNC1069 operations.
UNC1069 is believed to operate under the direction of the North Korean government, likely as part of a broader effort to generate revenue through cyber theft and extortion. The group's activity since 2018 has included supply chain attacks, credential harvesting, and cryptojacking.
Mitigation and Detection
Defenders should take immediate steps to identify and remediate any signs of compromise:
- Check for affected packages: Scan projects for axios versions 1.14.1 and 0.30.4, or any dependency that includes
plain-crypto-js. Revert to a known good version (e.g., 1.14.0 for the 1.x branch, 0.30.3 for the 0.x branch). - Monitor for suspicious postinstall scripts: Review
package-lock.jsonandyarn.lockfor unexpected dependencies or script hooks. Use NPM audit tools to detect known malicious packages. - Analyze network traffic: Look for connections to unknown or suspicious domains on unusual ports, especially those matching C2 patterns from past UNC1069 campaigns.
- Review system processes: Check for unexpected background processes named
node setup.jsor similar. On Windows, look for WAVESHAPER artifacts; on macOS/Linux, inspect unusual binaries in temporary directories. - Enable logging and alerting: Implement file integrity monitoring (FIM) for
package.jsonmodifications and detection of postinstall hook executions.
Conclusion
The compromise of the widely used axios package underscores the persistent threat of software supply chain attacks, especially from nation-state actors like UNC1069. This incident highlights the importance of rigorous dependency management, regular security audits, and proactive threat intelligence. Developers and organizations using axios should act swiftly to assess their exposure, clean installations, and implement the recommended detection measures to prevent further damage.
GTIG continues to monitor this activity and will provide updates as more information becomes available. By understanding the attack lifecycle and leveraging the indicators of compromise, defenders can better protect their environments from similar threats in the future.