Supply-chain alert: axios NPM package poisoned to deliver WAVESHAPER.V2 backdoor

Cartoonish axios package box repelled by security shield

A high-risk software supply chain attack has poisoned widely used axios npm releases, turning routine installs into a cross-platform compromise. Developers, CI/CD systems, and production pipelines that pulled the tainted axios versions (1.14.1 and 0.30.4) risked silently receiving a multi-stage backdoor that targeted Windows, macOS, and Linux hosts. Because axios sits deep in many dependency trees, a single malicious release can reach far beyond direct consumers — affecting developer laptops, build servers, and downstream applications.

How the compromise worked

Researchers found that the malicious axios releases introduced a new dependency — plain-crypto-js (version 4.2.1) — and used a postinstall hook to run an obfuscated JavaScript dropper (tracked as setup.js or SILKBELL). The postinstall script executed automatically during npm install, converting routine package installation into an infection vector without any extra user interaction.

Platform-specific stages and capabilities

Windows: The dropper looked for powershell.exe, copied it to avoid suspicion, downloaded a PowerShell stage via curl, and executed it with hidden and execution-policy-bypass flags. The final payload attempted persistence by creating a hidden batch file and adding a MicrosoftUpdate Run key for the current user.
macOS: The chain placed a Mach-O binary under /Library/Caches/com.apple.act.mond, adjusted permissions, and launched it using zsh.
Linux: The attacker dropped a Python backdoor to /tmp/ld.py and executed it.

Across platforms the campaign included anti-forensics steps: setup.js tried to delete itself after dropping the next stage and to restore the original package.json from a stored copy, making forensic analysis harder.

The final payload: WAVESHAPER.V2

The final backdoor — WAVESHAPER.V2 — beacons to a hard-coded command-and-control server every 60 seconds over port 8000, using Base64-encoded JSON and a fixed user-agent string. Once present, the backdoor can:

Collect system and environment details
List files and directories
Execute scripts and run arbitrary commands
Inject or deploy additional payloads
Await and act on further instructions from the C2

Attribution and risk scope

Google Cloud researchers linked the campaign to UNC1069, a financially motivated group with a North Korea nexus, based on overlaps in infrastructure and the use of WAVESHAPER variants. Because axios is among the most commonly downloaded HTTP client libraries in Node.js, even a targeted poisoned release can rapidly propagate through transitive dependencies to extremely broad populations of hosts and build systems.

Immediate actions for defenders

Avoid the tainted releases: Do not use axios 1.14.1 or 0.30.4. Pin projects to known-good releases such as 1.14.0 (or earlier) and 0.30.3 (or earlier).
Inspect lockfiles: Search package-lock.json, yarn.lock, and pnpm-lock.yaml for plain-crypto-js entries at 4.2.0 or 4.2.1 and remediate if found.
Treat affected hosts as compromised: Isolate, rebuild from known-good images or snapshots, and rotate credentials and secrets (tokens, API keys, SSH keys) that might have been exposed.
Pause and review CI/CD: Stop affected jobs, clear npm/yarn/pnpm caches on build agents, and inspect recent runs and artifacts for suspicious activity.
Block indicators: Block traffic to identified domains and IPs (example indicators include sfrclak[.]com and 142.11.206.73) and monitor for outbound connections on unusual ports such as 8000.
Hunt for postinstall activity and child processes: Look for unexpected scripts or processes spawned during package installs and for Node.js spawning unusual child processes.
Rotate secrets and audit token use: Assume secrets on compromised systems may be exfiltrated and rotate them. Review secret-scanning controls and reduce long-lived credentials in build environments.

Longer-term mitigations and lessons

Enforce dependency hygiene: Use strict version pinning, lockfiles, and internal registries or mirrors to control which packages enter builds.
Employ SBOM and SCA: Generate Software Bill of Materials for projects and use software composition analysis to detect risky transitive dependencies quickly.
Harden maintainer accounts: Require 2FA for package maintainers and monitor package account changes, email updates, or other signs of takeover.
Immutable, reproducible builds: Favor reproducible artifacts and vetted base images over rebuilding from the network on every CI run.
Least privilege for build agents: Limit the scope of tokens and secrets available to CI jobs and prefer ephemeral, scoped credentials.
Improve telemetry and detection for developer environments: Monitor developer machines and build servers for obfuscated scripts run during installs and for strange outbound beaconing patterns.
Prepare supply-chain incident playbooks: Tabletop exercises should include scenarios where package installation is the initial compromise vector and define rapid containment steps (isolate hosts, pause pipelines, rotate keys).

Why this matters

Open-source dependencies accelerate development but also concentrate systemic risk: a compromised maintainer account or poisoned release can ripple quickly across organizations. This axios incident underscores that supply-chain protections must be operationalized across development, build, and production environments. Early detection, rapid containment, and strict supply-chain hygiene are essential to limit attacker dwell time and downstream impact.

Bottom line

The axios compromise underscores the persistent danger of supply-chain attacks and the importance of treating package management as a security boundary. Organizations should assume transitive risks exist, harden their supply-chain controls, and respond aggressively to any indicators of npm-based compromise. Speedy containment — isolating affected hosts, pausing CI jobs, and rotating credentials — will limit attacker dwell time and reduce the potential for follow-on abuse.