Axios NPM Package Breach: A Step-by-Step Guide to the UNC1069 Supply Chain Attack

Introduction

In late March 2026, the widely used JavaScript library Axios fell victim to a sophisticated software supply chain attack. Threat actor UNC1069—a financially motivated North Korea-nexus group—compromised the maintainer account, inserted a malicious dependency (plain-crypto-js), and deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. This guide breaks down the attack into seven clear steps, from initial compromise to payload execution, helping defenders understand and mitigate similar threats.

What You Need

• Basic understanding of Node Package Manager (NPM) and JavaScript.
• Familiarity with supply chain attack concepts (e.g., dependency confusion, malicious packages).
• Access to NPM logs or package integrity monitoring tools for detection.
• Knowledge of OS-level process monitoring (e.g., Sysmon, auditd).

Step 1: Compromise the Maintainer Account

The attacker targeted an Axios maintainer's credentials—likely via phishing, password reuse, or social engineering. On March 31, 2026, between 00:21 and 03:20 UTC, they successfully logged in and changed the associated email to an attacker-controlled address (ifstap@proton.me). This email swap gave the threat actor full control over the package's release process.

Step 2: Modify the Axios Package Files

Once inside the maintainer account, the attacker added a new dependency to the package.json file of Axios versions 1.14.1 and 0.30.4. The dependency—plain-crypto-js version 4.2.1—was not a legitimate library but a custom malicious package. They also injected a postinstall script hook in the dependency's own package.json:

"scripts": {
  "postinstall": "node setup.js"
}

This hook ensures automatic execution when NPM installs the compromised Axios package.

Step 3: Publish the Compromised Versions

With the modified package.json and the new dependency in place, the attacker published both Axios versions to the NPM registry. Because Axios averages over 100 million weekly downloads for v1.x and 83 million for v0.x, a broad user base was potentially exposed. The package remained live for a short window before detection.

Step 4: Trigger the postinstall Hook

When users or CI/CD pipelines executed npm install axios (or a rebuild that fetched the compromised version), NPM automatically ran the postinstall script. This invoked the file setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09)—the malicious dropper named SILKBELL.

Step 5: Execute the Dropper (SILKBELL)

setup.js is heavily obfuscated using XOR and Base64 encoding to conceal critical strings like the command-and-control (C2) URL and OS execution commands. It dynamically loads Node.js modules (fs, os, execSync) to evade static analysis. At runtime, the dropper:

• Identifies the target operating system (Windows, macOS, or Linux).
• Fetches a platform-specific payload from the C2 server.
• Deploys a persistent backdoor (WAVESHAPER.V2).
• Attempts to delete itself and revert the package.json to hide forensic traces.

Step 6: Deploy OS-Specific Payloads

The dropper contains distinct execution paths for each OS. For Windows, it executes commands to download and run a PowerShell or exe version of WAVESHAPER.V2. For macOS and Linux, it uses shell scripts (e.g., curl, wget) to retrieve and execute similar backdoors. WAVESHAPER.V2 is an updated variant of a backdoor previously used by UNC1069, featuring improved evasion and command capabilities.

Step 7: Maintain Access and Exfiltrate

Once WAVESHAPER.V2 is installed, it establishes a persistent C2 channel, allowing the attacker to execute arbitrary commands, steal credentials, move laterally, and exfiltrate sensitive data. The backdoor can also update itself or download additional modules, making removal challenging without thorough system cleanup.

Tips for Defenders

• Pin exact package versions in package.json to prevent automatic installation of compromised releases.
• Audit dependencies regularly with tools like npm audit, Snyk, or GitHub Dependabot.
• Monitor maintainer account changes—especially email address modifications—through NPM logs or registry webhooks.
• Use package integrity verification (e.g., npm lockfiles, SHA checksums) to detect tampering.
• Run installations in isolated environments (containers, sandboxes) to limit blast radius.
• Investigate unusual postinstall scripts—any package that runs arbitrary code during install should be scrutinized.
• Implement runtime detection (e.g., Endpoint Detection & Response) for suspicious process creation like node setup.js with network connections.