8 Critical Facts About the North Korean Axios NPM Supply Chain Attack

In late March 2026, the cybersecurity world was rattled by a sophisticated supply chain attack targeting the widely used Axios library for Node.js. Threat actors linked to North Korea compromised the library's maintainer account and injected a malicious dependency into two popular versions of Axios, affecting millions of developers. This article breaks down the key facts every developer and security professional should know about this incident, from the initial breach to the deployment of the WAVESHAPER.V2 backdoor. Jump to the first fact.

1. The Target: Axios, a JavaScript Staple

Axios is one of the most popular JavaScript libraries for making HTTP requests, boasting over 83 million weekly downloads for its legacy 0.x branch and more than 100 million for the 1.x series. Its ubiquity in web development, from simple scripts to enterprise applications, made it an attractive target. By compromising Axios, the attackers gained a potential foothold in countless environments. The attack exploited its trusted status to silently deliver malware to unsuspecting developers who updated or installed the package.

2. The Timeline: A Three-Hour Window

Between March 31, 2026, at 00:21 UTC and 03:20 UTC, the attacker injected a malicious dependency named plain-crypto-js into Axios releases version 1.14.1 and 0.30.4. This short, sharp attack window suggests careful planning and execution. The malicious package was added as a direct dependency, meaning any developer running npm install axios@1.14.1 or npm install axios@0.30.4 within that timeframe would automatically download the compromised code. Google Threat Intelligence Group (GTIG) detected the anomaly and alerted the open-source community shortly after.

3. How the Compromise Occurred: Account Takeover

Investigation revealed that the attacker gained access to the official Axios maintainer account. As part of the takeover, the account's associated email address was changed to ifstap@proton.me, an attacker-controlled address. Once inside, they published a new version of Axios that included plain-crypto-js as a dependency. This type of account compromise—often achieved through phishing, credential theft, or social engineering—highlights the vulnerability of open-source ecosystems that rely on trusted individuals with elevated permissions.

4. The Malicious Dependency: plain-crypto-js

The attacker introduced a package named plain-crypto-js version 4.2.1, which appeared to be a benign cryptography utility but was actually an obfuscated dropper. The dropper, named SILKBELL (setup.js), was designed to execute automatically during installation via the postinstall hook in the package's package.json. This hook runs commands after the package is installed, triggering the dropper without any user interaction. The script used custom XOR and Base64 encoding to hide its command-and-control (C2) URL and execution logic.

5. The Payload: WAVESHAPER.V2 Backdoor

Once executed, SILKBELL deployed the WAVESHAPER.V2 backdoor. This is an updated variant of the WAVESHAPER malware previously used by the North Korea-linked threat actor UNC1069. WAVESHAPER.V2 is a sophisticated backdoor capable of exfiltrating data, executing arbitrary commands, and maintaining persistence across Windows, macOS, and Linux systems. The dropper checked the target operating system and downloaded the appropriate binary from the C2 server, ensuring compatibility and stealth.

6. OS-Specific Execution Paths

SILKBELL did not use a one-size-fits-all approach. Instead, it dynamically identified the host OS and executed tailored routines. For Windows, it utilized PowerShell or cmd commands to download and run the backdoor. On macOS and Linux, it leveraged shell scripts. After successful delivery, the dropper attempted to delete itself and restore the original package.json to remove traces of the postinstall hook, making forensic analysis more challenging. This multi-platform capability underscores the threat actor's intent to maximize their reach.

7. Attribution: The North Korea Nexus

GTIG attributes this attack to UNC1069, a financially motivated North Korea-linked group active since at least 2018. The attribution is based on the use of WAVESHAPER.V2, which has been tied to UNC1069 in previous campaigns. Further, analysis of infrastructure artifacts—such as IP addresses and domain patterns—showed overlaps with past UNC1069 operations. This group often targets cryptocurrency businesses, but their expansion into the open-source supply chain indicates a shift in tactics, potentially aiming to compromise downstream users for financial gain or espionage.

8. How to Protect Yourself

Defenders should immediately verify that they are not using the compromised Axios versions (1.14.1 and 0.30.4). Check for the presence of the plain-crypto-js package in your node_modules or lock files. Remove the malicious package and revert to a known good Axios version (e.g., 1.13.0 or 1.14.0). Additionally, monitor for unusual network connections to unfamiliar domains, especially those associated with known C2 infrastructure. Enable npm security audits and consider using package integrity verification tools like npm's integrity field or lock files to detect tampered dependencies.

The attack on Axios serves as a stark reminder that even the most trusted open-source libraries can become vectors for supply chain compromises. By understanding the tactics used—account takeover, malicious dependencies, and platform-specific payloads—organizations can take proactive steps to mitigate risks. Stay vigilant, verify your dependencies, and always keep your security tooling up to date.