North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Contents
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Google Threat Intelligence Group
Mandiant
Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a DemoWritten by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya, Michael Rudden
Introduction
Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js
" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.
GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at …
Google Threat Intelligence Group
Mandiant
Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a DemoWritten by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya, Michael Rudden
Introduction
Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js
" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.
GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at …
IoC
http://sfrclak.com
http://sfrclak.com:8000/6202033
142.11.206.73
[email protected]
7658962ae060a222c0058cd4e979bfa1
04e3073b3cd5c5bfcde6f575ecf6e8c1
089e2872016f75a5223b5e02c184dfec
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
rule G_Hunting_Downloader_suspected_UNC1069_PS_1
{
meta:
description = "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2"
author = "GTIG"
md5 = "089e2872016f75a5223b5e02c184dfec"
date_created = "2026/03/31"
date_modified = "2026/03/31"
rev = 1
platforms = "Windows"
strings:
$ss1 = "start /min powershell -w h" ascii wide nocase
$ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString" ascii wide nocase
$ss3 = "Invoke-WebRequest -UseBasicParsing" ascii wide nocase
$ss4 = "-Method POST -Body" ascii wide nocase
$ss5 = "packages.npm.org/product1" ascii wide nocase
condition:
uint16(0) != 0x5A4D and filesize < 5KB and all of them
}
rule G_Hunting_Downloader_SILKBELL_1
{
meta:
description = "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2"
author = "GTIG"
md5 = "7658962ae060a222c0058cd4e979bfa1"
date_created = "2026/03/31"
date_modified = "2026/03/31"
rev = 1
platforms = "Any"
strings:
$ss1 = "OrDeR_7077" ascii wide fullword
$ss2 = "String.fromCharCode(S^a^333)" ascii wide
$ss3 = "\"TE9DQUw^\".replaceAll(\"^\",\"=\")" ascii wide
$ss4 = "\"UFM_\".replaceAll(\"_\",\"=\")" ascii wide
$ss5 = "\"U0NSXw--\".replaceAll(\"-\",\"=\")" ascii wide
$ss6 = "\"UFNfQg--\".replaceAll(\"-\",\"=\")" ascii wide
$ss7 = "\"d2hlcmUgcG93ZXJzaGVsbA((\".replaceAll(\"(\",\"=\")" ascii wide
condition:
uint16(0) != 0x5A4D and filesize < 100KB and all of them
}
http://sfrclak.com:8000/6202033
142.11.206.73
[email protected]
7658962ae060a222c0058cd4e979bfa1
04e3073b3cd5c5bfcde6f575ecf6e8c1
089e2872016f75a5223b5e02c184dfec
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
rule G_Hunting_Downloader_suspected_UNC1069_PS_1
{
meta:
description = "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2"
author = "GTIG"
md5 = "089e2872016f75a5223b5e02c184dfec"
date_created = "2026/03/31"
date_modified = "2026/03/31"
rev = 1
platforms = "Windows"
strings:
$ss1 = "start /min powershell -w h" ascii wide nocase
$ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString" ascii wide nocase
$ss3 = "Invoke-WebRequest -UseBasicParsing" ascii wide nocase
$ss4 = "-Method POST -Body" ascii wide nocase
$ss5 = "packages.npm.org/product1" ascii wide nocase
condition:
uint16(0) != 0x5A4D and filesize < 5KB and all of them
}
rule G_Hunting_Downloader_SILKBELL_1
{
meta:
description = "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2"
author = "GTIG"
md5 = "7658962ae060a222c0058cd4e979bfa1"
date_created = "2026/03/31"
date_modified = "2026/03/31"
rev = 1
platforms = "Any"
strings:
$ss1 = "OrDeR_7077" ascii wide fullword
$ss2 = "String.fromCharCode(S^a^333)" ascii wide
$ss3 = "\"TE9DQUw^\".replaceAll(\"^\",\"=\")" ascii wide
$ss4 = "\"UFM_\".replaceAll(\"_\",\"=\")" ascii wide
$ss5 = "\"U0NSXw--\".replaceAll(\"-\",\"=\")" ascii wide
$ss6 = "\"UFNfQg--\".replaceAll(\"-\",\"=\")" ascii wide
$ss7 = "\"d2hlcmUgcG93ZXJzaGVsbA((\".replaceAll(\"(\",\"=\")" ascii wide
condition:
uint16(0) != 0x5A4D and filesize < 100KB and all of them
}