North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package
10 hours ago
- #NPM Compromise
- #North Korea Nexus Threat Actor
- #Supply Chain Attack
- An attacker compromised the widely-used NPM package 'axios' on March 31, 2026, by adding a malicious dependency 'plain-crypto-js' to versions 1.14.1 and 0.30.4.
- The attack is attributed to UNC1069, a financially motivated North Korea-nexus threat actor, using the WAVESHAPER.V2 backdoor that targets Windows, macOS, and Linux systems.
- The malicious dependency uses a postinstall hook to execute an obfuscated JavaScript dropper, which delivers OS-specific payloads and attempts to hide forensic traces after deployment.
- WAVESHAPER.V2 acts as a RAT with capabilities including reconnaissance, command execution, and file system enumeration, beacons to C2 every 60 seconds, and achieves persistence on Windows.
- Remediation steps include avoiding compromised axios versions, auditing dependencies for 'plain-crypto-js', blocking C2 infrastructure, rotating credentials, and implementing supply chain security measures.
- The attack's broad impact highlights risks in software supply chains, with potential for further compromises, credential theft, and ransomware, urging defenders to prioritize detection and hardening.