The Axios Breach: When npm Trust Becomes an APT Attack Vector
Contents
Verticals Targeted: Software, Technology, Cloud, Enterprise IT environments
Regions Targeted: Global
Related Families: WAVESHAPER.V2
Executive Summary
A supply chain compromise of the widely used Axios npm package introduced a malicious dependency delivering cross-platform remote access trojans, now linked with high confidence to a North Korea–aligned threat cluster UNC1069. The campaign leveraged maintainer account takeover, npm publishing abuse, and install-time execution to target developer environments and CI/CD pipelines during a short but high-risk exposure window.
Key Takeaways
- Malicious versions of [email protected] and 0.30.4 included a staged dependency that executes a postinstall RAT payload.
- The attack leveraged maintainer account takeover, bypassing typical trust assumptions in the npm ecosystem.
- The payload delivered OS-specific RATs, targeting macOS, Windows, and Linux, with persistence, reconnaissance, and remote execution capabilities.
- An exposure window of around 3 hours presents high risk to CI/CD systems and auto-install pipelines.
The Activity
A high-impact software supply chain attack targeted the npm ecosystem through compromise of the widely used …
Regions Targeted: Global
Related Families: WAVESHAPER.V2
Executive Summary
A supply chain compromise of the widely used Axios npm package introduced a malicious dependency delivering cross-platform remote access trojans, now linked with high confidence to a North Korea–aligned threat cluster UNC1069. The campaign leveraged maintainer account takeover, npm publishing abuse, and install-time execution to target developer environments and CI/CD pipelines during a short but high-risk exposure window.
Key Takeaways
- Malicious versions of [email protected] and 0.30.4 included a staged dependency that executes a postinstall RAT payload.
- The attack leveraged maintainer account takeover, bypassing typical trust assumptions in the npm ecosystem.
- The payload delivered OS-specific RATs, targeting macOS, Windows, and Linux, with persistence, reconnaissance, and remote execution capabilities.
- An exposure window of around 3 hours presents high risk to CI/CD systems and auto-install pipelines.
The Activity
A high-impact software supply chain attack targeted the npm ecosystem through compromise of the widely used …
IoC
http://packages.npm.org/product0
[email protected]
[email protected]
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
[email protected]
[email protected]
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101