In late March 2026, the cybersecurity world witnessed a sophisticated supply chain attack that targeted millions of developers and organizations relying on the popular Axios JavaScript library. Malicious code was injected into two official Axios releases on the Node Package Manager (NPM) registry, compromising systems across Windows, macOS, and Linux. The Google Threat Intelligence Group (GTIG) identified the threat actor as UNC1069, a financially motivated group with ties to North Korea, and traced the attack back to a compromised maintainer account. This article breaks down the eight most critical things you need to know about this incident, from the initial breach to the deployment of advanced backdoors, along with actionable guidance for defenders.

1. The Attack at a Glance: Breaching the Most Popular HTTP Library

On March 31, 2026, between 00:21 and 03:20 UTC, an attacker managed to slip a malicious dependency called plain-crypto-js into Axios versions 1.14.1 and 0.30.4. Axios is the most widely used JavaScript library for handling HTTP requests, with over 100 million weekly downloads for version 1.x and 83 million for version 0.x. This gave the attacker a massive distribution channel. The malicious package contained an obfuscated dropper that, upon installation, silently deployed the WAVESHAPER.V2 backdoor—a cross-platform threat designed to steal data and maintain persistent access. GTIG linked this activity to UNC1069, a North Korea-nexus group active since at least 2018, known for financially driven cyber operations.

2. How the Compromise Unfolded: Account Takeover and Email Change

The attack vector was not a zero-day or vulnerability in Axios itself, but rather a compromised maintainer account. GTIG’s analysis revealed that the email address associated with the Axios package maintainer was changed to an attacker-controlled address: ifstap@proton.me. This allowed the threat actor to publish malicious updates under the guise of a legitimate maintainer. The attacker then introduced plain-crypto-js as a direct dependency in Axios, meaning anyone installing the compromised Axios versions would automatically pull the malicious package. This classic supply chain attack method highlights the fragility of trust in open-source ecosystems.

3. The Malicious Package: plain-crypto-js and Its Stealthy Dropper

The plain-crypto-js package (version 4.2.1) acted as a delivery vehicle for a multi-stage payload. The core component, named SILKBELL, was a JavaScript dropper (setup.js, SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09) that executed automatically via the postinstall hook defined in its package.json. This hook triggered node setup.js immediately after the package was installed, running the malicious code without any visible user interaction. The dropper used advanced obfuscation—custom XOR combined with Base64 encoding—to hide its command-and-control (C2) URLs and OS-specific commands. It dynamically loaded Node.js modules like fs, os, and execSync to evade static detection tools.

4. Cross-Platform Payload Delivery: Windows, macOS, and Linux

One of the most alarming aspects of this attack is its cross-platform compatibility. During execution, setup.js first identified the target operating system using Node’s os.platform(). It then downloaded and executed distinct payloads for each platform:

• Windows: A compiled version of WAVESHAPER.V2, often disguised as a legitimate system file, was downloaded and executed silently using cmd.exe.
• macOS: A Mach-O binary of the same backdoor was deployed via /bin/bash.
• Linux: An ELF binary was downloaded and run with /bin/sh, granting the attacker control over Linux servers—common in cloud and DevOps environments.

This broad coverage significantly increases the attack surface, allowing UNC1069 to infiltrate diverse environments.

5. The Backdoor: WAVESHAPER.V2 – An Updated and Persistent Threat

The final payload delivered by the dropper was WAVESHAPER.V2, an evolved version of the WAVESHAPER backdoor previously attributed to UNC1069. This version retains the core capabilities of its predecessor—keylogging, screen capture, file exfiltration, and command execution—while improving its stealth and persistence mechanisms. Notably, WAVESHAPER.V2 communicates with a C2 server using encrypted channels and can update its configuration on the fly. GTIG confirmed the connection to UNC1069 based on infrastructure overlaps between this campaign and past attacks linked to the group, including shared IP addresses and domain registration patterns. The backdoor is part of a broader toolkit used for financial espionage and theft.

6. Evasion and Self-Destruction: Hiding Traces from Investigators

To avoid detection, the dropper employed several anti-forensic techniques. After deploying the secondary payload, setup.js attempted to delete itself from the file system. It also reversed the modification to the Axios package.json, removing the postinstall hook that originally triggered the malicious script. This clever cleanup aimed to make the supply chain attack invisible to a casual review. Furthermore, the obfuscated JavaScript strings made it difficult for static analysis tools to flag suspicious behavior without dynamic execution. Such techniques are a hallmark of advanced threat actors who understand the forensic processes used by incident responders.

7. Attribution and Historical Context: UNC1069’s Financial Motives

GTIG attributes this campaign to UNC1069, a threat group that has been active since at least 2018 and is assessed to be financially motivated, aligning with North Korean state-sponsored objectives. Past UNC1069 operations include cryptocurrency theft, ransomware deployment, and targeting of financial institutions. The use of WAVESHAPER.V2 is a key indicator—similar to a version used in a 2024 campaign against a South Korean crypto exchange. Infrastructure overlaps, such as the use of Proton.me email accounts and specific hosting providers, further support this attribution. Understanding the actor’s history helps defenders prioritize detections and share threat intelligence across sectors.

8. Recommendations for Defenders: Mitigation and Detection Steps

Organizations that use Axios in their Node.js projects should take immediate action. First, remove or update any Axios versions 1.14.1 or 0.30.4 and replace them with patched versions (1.15.0 or 0.31.0, if available). Second, review package-lock.json files for any instance of plain-crypto-js and scan systems for indicators of compromise (IOCs) provided by GTIG, such as C2 domains and file hashes. Third, implement supply chain security tools that automatically vet dependencies for known malicious packages. Finally, enable behavioral monitoring for unexpected script executions, especially from postinstall hooks. Regular audits of maintainer permissions and enabling two-factor authentication on NPM accounts can also reduce the risk of similar takeovers.

This incident underscores the critical need for continuous vigilance in open-source ecosystems. As attackers refine their techniques, the community must respond with stronger security practices, faster incident response, and greater transparency. By understanding the methods of groups like UNC1069, defenders can better protect their software supply chains from exploitation.