The Axios npm compromise of March 2026
On March 31, 2026, UNC1069 published backdoored axios versions for 174 minutes. plain-crypto-js dropped WAVESHAPER.V2 across macOS, Windows, and Linux.
- npm
- axios
- supply-chain
On March 31, 2026, between 00:21 and 03:20 UTC, a North Korea-nexus threat actor published two malicious axios releases on npm: versions 1.14.1 and 0.30.4. Google Threat Intelligence Group (GTIG) attributes the campaign to UNC1069, a financially motivated actor active since at least 2018.
What the malware did
Rather than hiding code inside axios itself, the attacker added a dependency named plain-crypto-js (versions 4.2.0 and 4.2.1), a name near the legitimate crypto-js package. A postinstall hook ran an obfuscated JavaScript dropper called SILKBELL (setup.js), which fetched platform-specific payloads and deployed WAVESHAPER.V2, a cross-platform backdoor.
GTIG documented execution paths for Windows, macOS, and Linux. On macOS, the dropper downloaded a Mach-O binary to /Library/Caches/com.apple.act.mond and launched it in the background. WAVESHAPER.V2 beacons to C2 at sfrclak[.]com (142.11.206.73) and supports reconnaissance, directory listing, script execution, and binary injection.
GTIG reported that the maintainer account associated with axios was compromised, with the registered email changed to an attacker-controlled address (ifstap@proton.me). softScheck's incident roundup notes the malicious packages were live for roughly 174 minutes before npm removed them.
Why developer Macs were in blast radius
Axios is a transitive dependency in a large share of Node projects. Any Mac that ran npm install (or CI that resolved unpinned versions) during the exposure window could have pulled the backdoored release into node_modules and lockfiles.
Teams that escaped often relied on unglamorous controls: npm ci against a committed lockfile, ignore-scripts=true, or an internal registry that quarantined the new transitive package.
What GTIG recommends
GTIG's guidance for affected environments includes:
- Pin axios to known-good versions (1.14.0 or earlier; 0.30.3 or earlier)
- Audit lockfiles for
plain-crypto-js4.2.0 or 4.2.1 - Treat hosts that installed the poisoned versions as compromised and rotate credentials
- Block C2 infrastructure and clear npm/yarn/pnpm caches
Koban reads npm lockfiles from enrolled Macs. A new package name like plain-crypto-js appearing in a diff is the kind of signal that surfaces on the next heartbeat, not at the next quarterly audit.
Further reading
- Google GTIG: Axios npm supply chain attack (primary vendor analysis, published March 31, 2026)
- softScheck: Supply Chain Attacks in 2025/2026 (timeline and control lessons)