Axios Poisoned: North Korean Hackers Turn Trusted NPM Package Into Cross-Platform Backdoor

April 1, 2026 Faeem BLOGS 0

A major software supply chain attack has shaken the JavaScript ecosystem after North Korean-linked threat actors compromised the widely used axios NPM package. The malicious releases — axios 1.14.1 and 0.30.4 — pulled in a tainted dependency, plain-crypto-js, and silently delivered the WAVESHAPER.V2 backdoor to Windows, macOS, and Linux systems during installation.

Why This Matters

Axios is one of the most popular libraries for handling HTTP requests, with millions of weekly downloads. Its compromise means developer laptops, build servers, CI/CD pipelines, and downstream applications could all be exposed simply by installing what appeared to be a legitimate update.

How the Attack Worked

  • Account compromise: Attackers hijacked the axios maintainer account and inserted plain-crypto-js v4.2.1.
  • Delivery method: A malicious postinstall hook executed automatically during NPM installation.
  • Dropper (setup.js): Obfuscated script (aka SILKBELL) checked the OS and deployed tailored payloads:
    • Windows: PowerShell stage with hidden execution.
    • macOS: Mach-O binary dropped in /Library/Caches.
    • Linux: Python backdoor placed in /tmp/ld.py.
  • Persistence: On Windows, registry keys ensured the malware launched at logon.
  • Command-and-control: WAVESHAPER.V2 beaconed every 60 seconds over port 8000 using Base64-encoded JSON.

Defensive Guidance

Google Cloud researchers linked the activity to UNC1069, a financially motivated North Korea-nexus group. Defenders should act quickly:

  • Avoid axios versions 1.14.1 and 0.30.4. Pin projects to 1.14.0 or earlier and 0.30.3 or earlier.
  • Check lockfiles for plain-crypto-js v4.2.0 or v4.2.1.
  • Treat affected systems as compromised: rebuild or revert to known-good states.
  • Rotate credentials: API keys, tokens, and secrets may have been exposed.
  • Pause CI/CD jobs and clear npm, yarn, and pnpm caches.
  • Block traffic to sfrclak[.]com and 142.11.206.73.
  • Monitor Node.js child processes for suspicious activity.

The Bigger Lesson

This incident underscores the fragility of the open source supply chain. Trusted packages can be weaponized overnight, turning routine developer behavior into a compromise vector. Because axios sits deep inside dependency trees, organizations must review not only direct installations but also inherited exposure across build pipelines and production services.

Final Thought

The axios compromise is a stark reminder: open source trust must be paired with vigilance. In the age of supply chain attacks, speed of detection and containment is critical. Developers and defenders alike must assume that even the most widely used packages can become intrusion points — and prepare accordingly.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.