Axios NPM Package Breach: A Step-by-Step Guide to the UNC1069 Supply Chain Attack

Introduction

In late March 2026, the widely used JavaScript library Axios fell victim to a sophisticated software supply chain attack. Threat actor UNC1069—a financially motivated North Korea-nexus group—compromised the maintainer account, inserted a malicious dependency (plain-crypto-js), and deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. This guide breaks down the attack into seven clear steps, from initial compromise to payload execution, helping defenders understand and mitigate similar threats.

Axios NPM Package Breach: A Step-by-Step Guide to the UNC1069 Supply Chain Attack
Source: www.mandiant.com

What You Need

Step 1: Compromise the Maintainer Account

The attacker targeted an Axios maintainer's credentials—likely via phishing, password reuse, or social engineering. On March 31, 2026, between 00:21 and 03:20 UTC, they successfully logged in and changed the associated email to an attacker-controlled address (ifstap@proton.me). This email swap gave the threat actor full control over the package's release process.

Step 2: Modify the Axios Package Files

Once inside the maintainer account, the attacker added a new dependency to the package.json file of Axios versions 1.14.1 and 0.30.4. The dependency—plain-crypto-js version 4.2.1—was not a legitimate library but a custom malicious package. They also injected a postinstall script hook in the dependency's own package.json:

"scripts": {
  "postinstall": "node setup.js"
}

This hook ensures automatic execution when NPM installs the compromised Axios package.

Step 3: Publish the Compromised Versions

With the modified package.json and the new dependency in place, the attacker published both Axios versions to the NPM registry. Because Axios averages over 100 million weekly downloads for v1.x and 83 million for v0.x, a broad user base was potentially exposed. The package remained live for a short window before detection.

Step 4: Trigger the postinstall Hook

When users or CI/CD pipelines executed npm install axios (or a rebuild that fetched the compromised version), NPM automatically ran the postinstall script. This invoked the file setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09)—the malicious dropper named SILKBELL.

Step 5: Execute the Dropper (SILKBELL)

setup.js is heavily obfuscated using XOR and Base64 encoding to conceal critical strings like the command-and-control (C2) URL and OS execution commands. It dynamically loads Node.js modules (fs, os, execSync) to evade static analysis. At runtime, the dropper:

Axios NPM Package Breach: A Step-by-Step Guide to the UNC1069 Supply Chain Attack
Source: www.mandiant.com

Step 6: Deploy OS-Specific Payloads

The dropper contains distinct execution paths for each OS. For Windows, it executes commands to download and run a PowerShell or exe version of WAVESHAPER.V2. For macOS and Linux, it uses shell scripts (e.g., curl, wget) to retrieve and execute similar backdoors. WAVESHAPER.V2 is an updated variant of a backdoor previously used by UNC1069, featuring improved evasion and command capabilities.

Step 7: Maintain Access and Exfiltrate

Once WAVESHAPER.V2 is installed, it establishes a persistent C2 channel, allowing the attacker to execute arbitrary commands, steal credentials, move laterally, and exfiltrate sensitive data. The backdoor can also update itself or download additional modules, making removal challenging without thorough system cleanup.

Tips for Defenders

Tags:

Recommended

Discover More

GameStop’s Audacious eBay Bid: A David vs. Goliath Strategy?5 Essential Facts About GitHub Copilot CLI: Interactive vs. Non-Interactive Modes33win68nohu90nohu90Flutter 2026 World Tour: Where to Meet the Core Team and Share Your IdeasHow Docker's Agent Fleet Transforms Software Delivery with Autonomous AI Teamswin456v99v9933win68789f789fTroubleshooting Your Mesh Wi-Fi System: Why It Might Still Fail and How to Fix Itwin456