Axios NPM Package Supply Chain Attack: Key Questions Answered

On March 31, 2026, a sophisticated software supply chain attack compromised the widely used axios NPM package, affecting millions of downloads across Windows, macOS, and Linux. This Q&A breaks down the incident, the threat actor behind it, and actionable steps for defenders.

What is the nature of the recent supply chain attack on the axios NPM package?

The attack targeted the popular Node Package Manager (NPM) package axios, a JavaScript library that simplifies HTTP requests. Between 00:21 and 03:20 UTC on March 31, 2026, an unknown adversary introduced a malicious dependency named plain-crypto-js into axios versions 1.14.1 and 0.30.4. These versions typically see over 100 million and 83 million weekly downloads, respectively. The malicious package is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across all major operating systems. According to Google Threat Intelligence Group (GTIG), the attack stems from a compromised maintainer account, with the email changed to an attacker-controlled address (ifstap@proton.me). This supply chain attack represents a significant risk because axios is embedded in countless JavaScript projects, potentially exposing a vast ecosystem to remote access.

Who is responsible for the attack and what is their motivation?

GTIG attributes the activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. This attribution is based on the use of WAVESHAPER.V2, an updated backdoor that previously appeared in UNC1069 campaigns. Analysis of infrastructure artifacts shows overlaps with past operations, confirming the link. Unlike espionage-oriented groups, UNC1069 is driven by financial gain, often targeting cryptocurrency exchanges, software supply chains, and other monetizable assets. The compromisation of axios—a core library in the JavaScript ecosystem—suggests an intent to harvest credentials, deploy ransomware, or steal sensitive data from downstream victims. This attack aligns with North Korea’s broader pattern of cyber theft to fund its regime, making it a priority for defenders to track and mitigate.

How did the attackers compromise the axios package?

The attack began with a compromise of the axios maintainer account. The associated email was changed to ifstap@proton.me, an attacker-controlled address, allowing the adversary to publish malicious updates. The threat actor then introduced plain-crypto-js as a dependency in the legitimate axios package.json file. To ensure silent execution, they added a postinstall hook: "postinstall": "node setup.js". When NPM installs the compromised axios package, it automatically runs setup.js in the background without user interaction. This technique leverages NPM’s legitimate lifecycle scripts, making detection difficult. After deploying the payload, setup.js attempts to delete itself and revert the modified package.json to hide the postinstall hook, minimizing forensic evidence. The entire operation was timed within a three-hour window to evade suspicion.

How does the malicious plain-crypto-js dependency work?

The plain-crypto-js package acts as a payload delivery vehicle. Its core component is SILKBELL (setup.js, SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09). Upon execution, it dynamically checks the target system’s operating system using the os module. The dropper employs custom XOR and Base64 obfuscation to conceal the command-and-control (C2) URL and execution commands. To evade static analysis, it dynamically loads fs, os, and execSync. After downloading the appropriate payload based on OS, setup.js deletes itself and cleans up package.json. This stealth design makes traditional signature-based detection ineffective, as the dropper leaves minimal footprints and adapts its behavior to the environment.

What are the technical details of the attack on Windows, macOS, and Linux?

The dropper tailors its execution to each platform. On Windows, it uses PowerShell or cmd commands to download and execute the WAVESHAPER.V2 backdoor. On macOS and Linux, it leverages shell scripts or similar mechanisms. The backdoor maintains persistence and communicates with the attacker’s C2 server. The use of multi-platform support indicates the actor’s intent to maximize impact across the diverse user base of axios. Each routine is obfuscated to hinder analysis. The attack lifecycle—from account compromise to payload deployment—is detailed in our overview, but notably, the Windows path actively runs a system check to avoid sandbox environments.

How can defenders detect and mitigate this threat?

Defenders should first verify they are not running axios versions 1.14.1 or 0.30.4 from the compromised timeframe. Check package-lock.json or yarn.lock for any reference to plain-crypto-js. Monitor network traffic for C2 indicators provided by GTIG (see original blog). Review maintainer account email changes in open-source projects. Implement dependency integrity checks using tools like npm audit or lockfile linting. For advanced detection, analyze postinstall scripts in dependencies for unusual execution. The WAVESHAPER.V2 backdoor can be detected by its specific registry keys and file system artifacts on Windows. Routine sandbox analysis of package updates can catch droppers like SILKBELL. Finally, restrict outbound internet access for build servers to mitigate data exfiltration.

What indicators of compromise should be monitored?

Key IoCs include the malicious package plain-crypto-js with version 4.2.1, the attacker email ifstap@proton.me, and the setup.js SHA256 hash e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09. Network-level indicators involve C2 domains associated with UNC1069 infrastructure (refer to GTIG’s full report). On endpoints, look for unusual node processes initiating outbound connections or executing shell commands. File system changes such as unexpected deletion of package.json or temporary files left by the dropper are also suspicious. Monitor for WAVESHAPER.V2 artifacts, including persistence mechanisms on each OS. Because the attack uses obfuscation, behavioral detection is critical—watch for NPM installs that trigger scripts without user interaction.