Axios Supply Chain Attack: North Korea-Linked Threat Actor Releases WAVESHAPER.V2 Backdoor

In late March 2026, Google Threat Intelligence Group (GTIG) uncovered a sophisticated software supply chain attack targeting the widely used Axios npm package. A North Korea-nexus threat actor, tracked as UNC1069, compromised the maintainer account and injected a malicious dependency called plain-crypto-js into Axios versions 1.14.1 and 0.30.4. This dependency delivered the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Below we answer the most pressing questions about this incident.

What is the North Korea-nexus supply chain attack on Axios?

This attack targeted the popular JavaScript library Axios, which simplifies HTTP requests and boasts over 100 million weekly downloads for its latest version alone. Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious npm package called plain-crypto-js as a dependency in Axios releases 1.14.1 and 0.30.4. The package acted as an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor on all major operating systems. Google Threat Intelligence Group attributed the campaign to UNC1069, a financially motivated North Korea-linked actor active since at least 2018. The attack exploited the trust in a widely used open-source component to infect downstream users silently.

How did the attacker compromise the Axios package?

The threat actor gained access to the Axios npm maintainer account through unknown means, then changed the associated email address to an attacker-controlled one: ifstap@proton.me. With this elevated access, they published the compromised versions (1.14.1 and 0.30.4) that included the malicious plain-crypto-js dependency. The malicious package used a postinstall hook in its package.json file to execute setup.js automatically upon installation. This technique allowed silent, background execution without requiring any user interaction, making it extremely difficult for developers to detect during routine dependency updates.

What is the plain-crypto-js malicious dependency?

plain-crypto-js (version 4.2.1) is a seemingly innocuous npm package that served as the payload delivery vehicle in this supply chain attack. Its core component, named SILKBELL, is an obfuscated JavaScript dropper stored in setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09). Upon execution, the dropper dynamically checks the target operating system and deploys platform-specific payloads. It uses a custom XOR and Base64 obfuscation routine to conceal the command-and-control (C2) URL and execution commands. To evade static analysis, it dynamically loads the fs, os, and execSync modules at runtime. After dropping the secondary payload, setup.js attempts to delete itself and reverts the modified package.json to hide forensic traces of the postinstall hook.

How does the SILKBELL dropper work?

Upon installation of the compromised Axios package, npm automatically triggers the postinstall script, launching setup.js. This dropper first identifies the host operating system—Windows, macOS, or Linux—using built-in Node.js modules. It then decrypts its embedded C2 URL and OS-specific execution commands using a custom XOR and Base64 algorithm. For each platform, it downloads a tailored payload from the C2 server and executes it in memory or writes it to disk. The dropper attempts to autonomously remove itself after successful deployment: it deletes setup.js and restores the original package.json entries to erase evidence of the malicious hook. This self-cleaning behavior significantly complicates post-incident forensic analysis.

Which operating systems are targeted and how?

The campaign targets three major platforms: Windows, macOS, and Linux. On Windows, the dropper executes a routine (details not fully disclosed) that ultimately delivers the WAVESHAPER.V2 backdoor. For macOS and Linux, the dropper follows analogous OS-specific execution paths, ensuring the backdoor is installed and persistent regardless of the environment. The use of a single cross-platform dropper written in Node.js allows the attacker to maximize reach through the popular Axios library. Each platform gets a version of the backdoor tailored to its native APIs, but the core WAVESHAPER.V2 functionality—remote control, data exfiltration, and keylogging—remains consistent across all systems.

Who is behind this attack (UNC1069)?

Google Threat Intelligence Group attributes the activity to UNC1069, a financially motivated threat actor with ties to North Korea. The group has been active since at least 2018 and is known for targeting cryptocurrency exchanges, financial institutions, and software supply chains. This attack uses WAVESHAPER.V2, an updated version of the WAVESHAPER backdoor previously associated with UNC1069. Further, analysis of infrastructure artifacts—such as C2 server configurations and hosting patterns—shows overlaps with past UNC1069 campaigns. The actor’s primary goal appears to be financial gain, likely through credential theft, cryptocurrency theft, or ransomware deployment facilitated by the widespread Axios compromise.

What can defenders do to detect and mitigate this threat?

Defenders should immediately audit their npm dependencies for any use of axios versions 1.14.1 or 0.30.4 or the malicious package plain-crypto-js (version 4.2.1). Organizations can scan for the indicator of compromise (IOC): the SHA256 hash e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09. Additionally, monitor network traffic for connections to unknown or suspicious domains associated with the C2 infrastructure. Implementing runtime security controls that detect unexpected postinstall script executions in npm packages can reduce risk. Pinning dependencies to known safe versions and using package integrity verification (e.g., npm audit, lockfiles) are essential best practices. Finally, maintain vigilant software composition analysis to catch malicious dependencies before they enter production environments.