[TIMESTAMP: 2026-04-01 00:45 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: CRITICAL]

UNC1069 Leverages Axios NPM Supply Chain to Deploy WAVESHAPER.V2

CRITICAL Supply Chain #UNC1069 #WAVESHAPER.V2 #Axios

AI-Assisted Analysis

READ_TIME: 8 min read

// executive briefing tl;dr

[01] Developers and organizations using the axios NPM package are at risk of system compromise and data theft.
[02] Axios NPM versions 1.14.1 and 0.30.4 were compromised, deploying WAVESHAPER.V2 on Windows, macOS, and Linux.
[03] Audit for 'plain-crypto-js' dependency, pin axios to safe versions, and rotate all exposed credentials immediately.

Overview: North Korea-Nexus Actor Compromises Axios NPM Package

Google Threat Intelligence Group (GTIG) has identified an active Supply Chain Attack targeting the popular Node Package Manager (NPM) package “axios.” Between March 31, 2026, 00:21 and 03:20 UTC, a threat actor introduced a malicious dependency, plain-crypto-js (versions 4.2.0 and 4.2.1), into axios NPM releases 1.14.1 and 0.30.4. Given axios’s widespread use as a JavaScript library for HTTP requests, with tens of millions of weekly downloads, the potential impact of this compromise is substantial for developers and organizations globally.

GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. This attribution is based on the use of WAVESHAPER.V2, an updated version of a backdoor previously deployed by UNC1069, alongside overlaps in infrastructure artifacts. The malicious dependency acts as an obfuscated dropper, deploying the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems.

Campaign Overview: How plain-crypto-js Infiltrated Axios

The attack began with the compromise of the axios package maintainer account, observed by GTIG on March 31, 2026. The attacker changed the associated email address to an attacker-controlled account (ifstap@proton.me), enabling the injection of plain-crypto-js version 4.2.1 as a dependency within axios version 1.14.1. The threat actor leveraged the postinstall hook in the malicious dependency’s package.json file. This hook silently executes an obfuscated JavaScript dropper named setup.js (tracked as SILKBELL by GTIG) automatically during the installation of the compromised axios package, a key TTP for silent execution in NPM packages.

Malware Analysis: SILKBELL Dropper and WAVESHAPER.V2 Backdoor Capabilities

The plain-crypto-js package functions as a payload delivery vehicle. Its core component, SILKBELL (setup.js, SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), dynamically determines the target system’s operating system upon execution to deliver platform-specific payloads. To evade detection and analysis, the script employs custom XOR and Base64-based string obfuscation for its C2 URL and OS execution commands. It also dynamically loads Node.js modules like fs, os, and execSync. After successfully dropping the secondary payload, setup.js attempts to delete itself and revert the modified package.json to conceal forensic traces of the postinstall hook.

Operating System-Specific Execution Paths

Windows: The dropper copies powershell.exe to %PROGRAMDATA%\wt.exe, then uses curl to download a PowerShell script (%TEMP%\6202033.ps1) from sfrclak[.]com:8000/6202033 using the POST body packages.npm.org/product1. This payload is then executed via the copied wt.exe with hidden and execution policy bypass flags.
macOS: The malware uses bash and curl to download a native Mach-O binary payload to /Library/Caches/com.apple.act.mond (using POST body packages.npm.org/product0). It sets executable permissions and launches the binary via zsh in the background.
Linux: A Python backdoor is downloaded to /tmp/ld.py using the POST body packages.npm.org/product2.

These platform-specific payloads ultimately deploy variants of WAVESHAPER.V2, a sophisticated backdoor. On Windows, WAVESHAPER.V2 achieves persistence by creating a hidden batch file (%PROGRAMDATA%\system.bat) and adding a MicrosoftUpdate entry to HKCU:\Software\Microsoft\Windows\CurrentVersion\Run for logon execution. This backdoor acts as a fully functional Remote Access Trojan (RAT) with capabilities including:

Reconnaissance: Extracts system telemetry (hostname, username, OS version, running processes).
Command Execution: Supports in-memory Portable Executable (PE) injection and arbitrary shell commands.
File System Enumeration: Recursively collects detailed metadata for specified directories.

Regardless of the OS, the malware beacons to the C2 endpoint sfrclak[.]com:8000 at 60-second intervals, using a hard-coded User-Agent mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0).

Attribution to UNC1069

GTIG’s attribution to UNC1069 is based on strong evidentiary links. Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from an AstrillVPN node previously used by UNC1069. Furthermore, WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to the same actor. While WAVESHAPER.V2 utilizes JSON for C2 communication and boasts enhanced reconnaissance and command capabilities, both versions share dynamic C2 URL arguments, identical C2 polling behaviors, an uncommon User-Agent string, and similar temporary payload deployment directories.

Outlook and Implications

This attack by North Korea-nexus actors has broad implications, as axios is a foundational dependency for numerous other popular packages. The compromise of a widely used component in the software supply chain can lead to widespread downstream impact. Potential ripple effects include the circulation of stolen secrets, further software Supply Chain Attacks, compromise of SaaS environments, subsequent customer compromises, Ransomware and extortion events, and cryptocurrency theft. Defenders must recognize the inherent trust abused in such attacks and prioritize efforts to assess existing impact, remediate compromised systems, and harden environments against future threats.

Remediation: Mitigating UNC1069’s Axios Supply Chain Threat

Organizations and developers using the axios package must take immediate corrective action. Prioritize auditing dependency trees, isolating affected hosts, and rotating any exposed credentials or secrets. Long-term hardening through strict version pinning and enhanced supply-chain monitoring is also critical.

Version Control: Do not upgrade to axios versions 1.14.1 or 0.30.4. Ensure corporate-managed NPM repositories serve only known-good versions (e.g., 1.14.0 or earlier; 0.30.3 or earlier).
Dependency Pinning: Pin axios to a known safe version in your package-lock.json to prevent accidental upgrades.
Malicious Package Audit: Inspect project lockfiles to detect plain-crypto-js npm package (versions 4.2.0 or 4.2.1). Utilize tools like Wiz or Open Source Insights for thorough dependency auditing.
Pipeline Security: Pause CI/CD deployments for any package relying on axios. Validate that builds are not pulling “latest” versions before redeploying with pinned, safe versions.
Incident Response: If plain-crypto-js is detected, assume the host environment is compromised. Revert the environment to a known-good state and rotate all credentials or secrets present.
Network Defense: Block all traffic to sfrclak[.]com and the C2 IoC IP: 142.11.206.73. Monitor and alert on any endpoint communication attempts to this domain.
Cache Remediation: Clear local and shared npm, yarn, and pnpm caches on all workstations and build servers to prevent re-infection during subsequent installs.
Endpoint Protection: Deploy EDR to protect developer environments. Monitor for suspicious processes spawning from Node.js applications that match known IoCs.
Credential Management: Rotate all tokens and API keys used by applications confirmed to have run IoCs.
Developer Sandboxing & Secret Vaulting: Isolate development environments in containers or sandboxes to restrict host filesystem access. Migrate plaintext secrets to the OS keychain using tools like aws-vault to ensure compromised packages cannot scrape credentials.

Indicators of Compromise (IoCs)

To assist the wider community, GTIG has provided a free GTI Collection with the following IoCs for registered users.

Network Indicators

Indicator	Type	Notes
`142.11.206.73`	C2	WAVESHAPER.V2
`sfrclak[.]com`	C2	WAVESHAPER.V2
`http://sfrclak[.]com:8000`	C2	WAVESHAPER.V2
`http://sfrclak[.]com:8000/6202033`	C2	WAVESHAPER.V2
`23.254.167.216`	C2	Suspected UNC1069 Infrastructure

File Indicators

Family	Notes	SHA256
WAVESHAPER.V2	Linux Python RAT	`fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf`
WAVESHAPER.V2	macOS Native Binary	`92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a`
WAVESHAPER.V2	Windows Stage 1	`617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101`
WAVESHAPER.V2	N/A	`ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c`
SILKBELL	N/A	`e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09`
N/A	system.bat	`f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd`
N/A	plain-crypto-js-4.2.1.tgz	`58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668`

YARA Rules

These rules are valuable for retrospective hunting and validation on developer workstations, CI/build systems, and other potentially impacted hosts.

rule G_Backdoor_WAVESHAPER_V2_PS_1
{
    meta:
        description = "Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encoded JSON beacons and supports PE injection and script execution"
        author = "GTIG"
        md5 = "04e3073b3cd5c5bfcde6f575ecf6e8c1"
        date_created = "2026/03/31"
        date_modified = "2026/03/31"
        rev = 1
        platforms = "Windows"
        family = "WAVESHAPER.V2"
    strings:
        $ss1 = "packages.npm.org/product1" ascii wide nocase
        $ss2 = "Extension.SubRoutine" ascii wide nocase
        $ss3 = "rsp_peinject" ascii wide nocase
        $ss4 = "rsp_runscript" ascii wide nocase
        $ss5 = "rsp_rundir" ascii wide nocase
        $ss6 = "Init-Dir-Info" ascii wide nocase
        $ss7 = "Do-Action-Ijt" ascii wide nocase
        $ss8 = "Do-Action-Scpt" ascii wide nocase
    condition:
        uint16(0) != 0x5A4D and filesize < 100KB and 5 of ($ss*)
}

rule G_Hunting_Downloader_suspected_UNC1069_PS_1
{
    meta:
        description = "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2"
        author = "GTIG"
        md5 = "089e2872016f75a5223b5e02c184dfec"
        date_created = "2026/03/31"
        date_modified = "2026/03/31" 
        rev = 1
        platforms = "Windows"
    strings:
        $ss1 = "start /min powershell -w h" ascii wide nocase
        $ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString" ascii wide nocase
        $ss3 = "Invoke-WebRequest -UseBasicParsing" ascii wide nocase
        $ss4 = "-Method POST -Body" ascii wide nocase
        $ss5 = "packages.npm.org/product1" ascii wide nocase
    condition:
        uint16(0) != 0x5A4D and filesize < 5KB and all of them
}

rule G_Hunting_Downloader_SILKBELL_1
{
    meta:
        description = "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2"
        author = "GTIG"
        md5 = "7658962ae060a222c0058cd4e979bfa1"
        date_created = "2026/03/31"
        date_modified = "2026/03/31" 
        rev = 1
        platforms = "Any"
    strings:
        $ss1 = "OrDeR_7077" ascii wide fullword
        $ss2 = "String.fromCharCode(S^a^333)" ascii wide
        $ss3 = ""TE9DQUw^".replaceAll("^","=")" ascii wide
        $ss4 = ""UFM_".replaceAll("_","=")" ascii wide
        $ss5 = ""U0NSXw--".replaceAll("-","=")" ascii wide
        $ss6 = ""UFNfQg--".replaceAll("-","=")" ascii wide
        $ss7 = ""d2hlcmUgcG93ZXJzaGVsbA((".replaceAll("(","=")" ascii wide
    condition:
        uint16(0) != 0x5A4D and filesize < 100KB and all of them
}

#UNC1069 #WAVESHAPER.V2 #Axios #NPM #Supply Chain Attack #plain-crypto-js #SILKBELL #North Korea

X/Twitter LinkedIn Reddit HN

← Back to Articles