Google has linked the supply chain compromise of the Axios npm package to a suspected North Korean threat activity cluster tracked as UNC1069, after attackers took over the maintainer’s account and pushed trojanized releases that could reach Windows, macOS and Linux systems.
KEY FACTS
- Attribution Google said the campaign fits UNC1069, a financially motivated North Korean cluster.
- Compromise Attackers published malicious Axios versions 1.14.1 and 0.30.4 through the maintainer’s npm account.
- Delivery The package plain-crypto-js used a postinstall hook to launch a dropper called SILKBELL.
- Payloads The backdoor was built to deliver different malware for Windows, macOS and Linux.
A technical analysis from Google Threat Intelligence Group said the malicious code did not alter Axios itself. Instead, the attack relied on the dependency chain and an npm postinstall hook so the code ran automatically after installation.
The report said the dropper fetched a next-stage payload based on the victim’s operating system. Windows systems were sent PowerShell malware, macOS systems received a C++ Mach-O binary, and Linux systems received a Python backdoor.
The backdoor, called WAVESHAPER.V2, was described as an updated version of earlier UNC1069 tooling. It beaconed every 60 seconds and supported commands to stop itself, list directories, run scripts and decode and execute binaries.
Researchers also pointed to overlap with earlier North Korea-linked activity, including build path references in the macOS sample and similarities to the group’s prior malware. The disclosure said the dropper cleaned up after execution and replaced the malicious package file with a clean version.
Google and other researchers advised developers to audit dependency trees, pin known safe versions, check for the rogue package name in node_modules and block the identified command-and-control infrastructure. They also said affected credentials should be rotated.
WHY IT MATTERS
The case shows how a single npm account takeover can expose many downstream developers and build systems. It also underscores how package registries can be used to deliver cross-platform malware with limited changes to the original software.