Axios NPM Package Breach: A Step-by-Step Guide to the UNC1069 Supply Chain Attack

By

Introduction

In late March 2026, the widely used JavaScript library Axios fell victim to a sophisticated software supply chain attack. Threat actor UNC1069—a financially motivated North Korea-nexus group—compromised the maintainer account, inserted a malicious dependency (plain-crypto-js), and deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. This guide breaks down the attack into seven clear steps, from initial compromise to payload execution, helping defenders understand and mitigate similar threats.

Axios NPM Package Breach: A Step-by-Step Guide to the UNC1069 Supply Chain Attack
Source: www.mandiant.com

What You Need

Step 1: Compromise the Maintainer Account

The attacker targeted an Axios maintainer's credentials—likely via phishing, password reuse, or social engineering. On March 31, 2026, between 00:21 and 03:20 UTC, they successfully logged in and changed the associated email to an attacker-controlled address (ifstap@proton.me). This email swap gave the threat actor full control over the package's release process.

Step 2: Modify the Axios Package Files

Once inside the maintainer account, the attacker added a new dependency to the package.json file of Axios versions 1.14.1 and 0.30.4. The dependency—plain-crypto-js version 4.2.1—was not a legitimate library but a custom malicious package. They also injected a postinstall script hook in the dependency's own package.json:

"scripts": {
  "postinstall": "node setup.js"
}

This hook ensures automatic execution when NPM installs the compromised Axios package.

Step 3: Publish the Compromised Versions

With the modified package.json and the new dependency in place, the attacker published both Axios versions to the NPM registry. Because Axios averages over 100 million weekly downloads for v1.x and 83 million for v0.x, a broad user base was potentially exposed. The package remained live for a short window before detection.

Step 4: Trigger the postinstall Hook

When users or CI/CD pipelines executed npm install axios (or a rebuild that fetched the compromised version), NPM automatically ran the postinstall script. This invoked the file setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09)—the malicious dropper named SILKBELL.

Step 5: Execute the Dropper (SILKBELL)

setup.js is heavily obfuscated using XOR and Base64 encoding to conceal critical strings like the command-and-control (C2) URL and OS execution commands. It dynamically loads Node.js modules (fs, os, execSync) to evade static analysis. At runtime, the dropper:

Axios NPM Package Breach: A Step-by-Step Guide to the UNC1069 Supply Chain Attack
Source: www.mandiant.com

Step 6: Deploy OS-Specific Payloads

The dropper contains distinct execution paths for each OS. For Windows, it executes commands to download and run a PowerShell or exe version of WAVESHAPER.V2. For macOS and Linux, it uses shell scripts (e.g., curl, wget) to retrieve and execute similar backdoors. WAVESHAPER.V2 is an updated variant of a backdoor previously used by UNC1069, featuring improved evasion and command capabilities.

Step 7: Maintain Access and Exfiltrate

Once WAVESHAPER.V2 is installed, it establishes a persistent C2 channel, allowing the attacker to execute arbitrary commands, steal credentials, move laterally, and exfiltrate sensitive data. The backdoor can also update itself or download additional modules, making removal challenging without thorough system cleanup.

Tips for Defenders

Tags:

Related Articles

Recommended

Discover More

onbetonbet13winvn123Kubernetes v1.36 Enhances Memory QoS with Tiered Protection and Opt-In Reservations5 Key Ways Ubuntu Is Embracing AI in 2026: What You Need to Know92lotteryj88The Great Fedora GNOME Bug Debate: 6 Key Insights13winvn123Canonical Under Siege: Cyberattack Disrupts Ubuntu, Snap Store, and Launchpad10 Key Milestones in Kia’s Electric Vehicle Surge—From the EV9 to the Upcoming EV392lotteryj88