Axios npm supply chain attack? North Korea’s fingerprints all over it.
Google Threat Intelligence dropped the bomb: UNC1069, a North Korean crew chasing cash since 2018, seized the Axios maintainer account and slipped in trojanized versions. 1.14.1 and 0.30.4 — innocent-looking bumps that hid a beast.
Here’s the sneaky part. No code tweaks to Axios itself. Instead, they tucked a malicious dependency, plain-crypto-js, into the mix. Its package.json? Booby-trapped with a postinstall hook. Install the package, and boom — npm runs the evil script quietly in the background. Stealthy as a shadow.
That hook unloads SILKBELL, an obfuscated JS dropper (setup.js). It pings a remote server, grabs the right payload for your OS: PowerShell nasty for Windows, C++ Mach-O for macOS, Python backdoor for Linux. Then it cleans up — swaps out the package.json for a clean one, erases traces. Poof.
How Did They Own the Maintainer Account?
Account takeover, classic. They nabbed the npm creds — phishing? Password spray? Doesn’t say, but DPRK crews love social engineering. Taylor Long at GTIG notes they’ve done this before with npm for crypto grabs. But this? Broader net.
Elastic Security Labs spotted it first, linking to UNC1069 via code overlaps. WAVESHAPER.V2, the backdoor payload — upgraded from the original WAVESHAPER. Same DNA: dynamic C2 URLs via CLI args, 60-second beacons, weird User-Agent, temp dirs like /Library/Caches/com.apple.act.mond.
Evolutions? JSON C2 now, not raw binary. More commands: kill (self-destruct), rundir (file scouting), runscript (OS-specific shells), peinject (arbitrary binary runs). Beefier recon, too — system info hoover.
And that macOS binary? Developer paths screaming BlueNoroff ties — macWebT from 2023 RustBucket ops. Giuseppe Massaro nailed that connection. DPRK’s not subtle when you zoom in.
“We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” John Hultquist, chief analyst at Google Threat Intelligence Group (GTIG), told The Hacker News in a statement.
Why Axios? And What’s the Endgame?
Axios: 20 million weekly downloads. Dev darling for HTTP requests. Hit it, you snag devs building web apps, APIs, everything. UNC1069’s crypto-focused historically — supply chains for wallet drains. But here? No obvious coin theft or ransomware.
Cash motive assumed — DPRK mandates revenue for the regime. Long says post-compromise visibility’s low, but expect financial plays to surface. My take? This isn’t just evolution; it’s architectural pivot. Remember SolarWinds? State-scale supply chain. UNC1069 miniaturizes it for npm’s chaos — fragmented, trust-based ecosystem. No central gatekeeper like enterprise IT. Devs npm install blind, trusting maintainers.
Unique angle: Echoes Stuxnet’s air-gapped ingenuity, but flipped for profit. DPRK’s blending nation-state tradecraft (C2 polish, multi-OS) with script-kiddie venues (public repos). Prediction: If unmitigated, we’ll see WAVESHAPER.V2 clusters in crypto firms, DeFi startups — disguised as legit deps.
Google and Mandiant call it direct lineage. But PR spin? They’re late — Elastic flagged first. Hultquist admits full impact’s murky, given Axios’s reach. Far-reaching? Understatement. Millions exposed.
The Backdoor’s Arsenal, Dissected
Four commands, cross-platform menace. Kill: GTFO. Rundir: Maps your dirs, timestamps, sizes — prep for exfil. Runscript: Fires AppleScript (macOS), PowerShell (Windows), shell (Linux). Peinject: Drops and runs anything.
C2 at sfrclak[.]com — block it, yesterday. But the hook? It self-heals post-install. Check node_modules for plain-crypto-js. Nuke it.
Broader why: NPM’s wild west. 2 million packages, maintainer churn. DPRK exploits that — social-engineer one account, cascade to dependents. It’s not bug; it’s design flaw in open-source velocity.
Historical parallel? 3CX supply chain, 2023 — North Koreans again, via legit software. Pattern: Infiltrate trusted tools, wait for installs. But Axios? Frontend ubiquity amps the scale.
Mitigation: Don’t Be the Next Victim
Audit deps — npm ls | grep axios. Stuck on 1.14.1 or 0.30.4? Downgrade to 1.14.0 or 0.30.3. Pin in package-lock.json. Scan for plain-crypto-js. Kill rogue processes. IOCs: That C2 domain, IP (cut off in original, but hunt sfrclak.com).
Tools? Socket, Snyk for supply chain scans. But proactive? Multi-factor on npm accounts. Maintainer fatigue’s real — rotate duties.
DPRK’s not stopping. UNC1069’s playbook: Crypto heists since ‘18. This? Testbed for bigger npm hauls.
Is This the New Normal for NPM Supply Chains?
Short answer: Yeah. Dev tools are the soft underbelly. Why? Speed trumps scrutiny. Companies hype “secure by default” — bs. NPM’s postinstall hooks? Gift to attackers.
Bold call: Expect copycats. Not just DPRK — any APT with dev chops. Architectural shift: From phishing to poison pills in the toolchain.
Why Does the Axios Attack Matter for Developers?
You’re npm installing daily. One bad dep, and WAVESHAPER’s on your box. Cross-OS — no safe harbor. Financial? Maybe not yet, but persistence means keyloggers, creds, pivots incoming.
🧬 Related Insights
- Read more: Drift Protocol’s $280M Governance Hijack Exposes DeFi’s Multisig Weak Spot
- Read more: Fake Avast Site Runs Bogus Scan, Drops Venom Stealer on Naive Users
Frequently Asked Questions
What is the Axios npm supply chain attack?
Google-attributed hack by North Korean UNC1069: They took over the maintainer account, pushed malicious Axios versions with a hidden backdoor dependency.
How to check if my project has the compromised Axios?
Run npm ls axios — look for 1.14.1 or 0.30.4. Scan node_modules for plain-crypto-js. Downgrade and pin safe versions.
Is UNC1069 only after cryptocurrency?
Historically yes, but this attack’s motives are fuzzy — expect financial plays, DPRK revenue ops.
