How a North Korean Threat Actor Infiltrated the Axios NPM Library

Introduction

In late March 2026, the Google Threat Intelligence Group (GTIG) uncovered an ongoing software supply chain attack targeting one of the most widely used JavaScript libraries: Axios. This popular npm package simplifies HTTP requests, with millions of weekly downloads. The attacker inserted a malicious dependency into two specific Axios releases, ultimately deploying a sophisticated backdoor across Windows, macOS, and Linux systems. The operation is attributed to UNC1069, a financially motivated threat actor linked to North Korea. This article breaks down the attack lifecycle, the malware involved, and what defenders can do to protect their environments.

Campaign Overview

Between 00:21 and 03:20 UTC on March 31, 2026, a threat actor compromised the maintainer account of the Axios npm package. They changed the associated email address to ifstap@proton.me and published a malicious version of the package: Axios 1.14.1 (with a backported version 0.30.4 also affected). The attacker introduced a fake dependency named plain-crypto-js version 4.2.1 into the package's package.json file. This dependency included a postinstall hook that executed a JavaScript dropper automatically when developers installed the compromised Axios version.

The dropper, known internally as SILKBELL and stored as setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), performed system checks to determine the operating system and then downloaded and executed a platform-specific payload.

Malware Analysis

The SILKBELL Dropper

The plain-crypto-js package served purely as a delivery vehicle. Upon installation, npm automatically ran the setup.js script. This script used custom obfuscation, combining XOR and Base64 encoding to hide its command-and-control (C2) URLs and operating system commands. To evade static detection, it dynamically loaded Node.js core modules such as fs, os, and execSync at runtime.

After successfully dropping the backdoor, the dropper attempted to delete itself and modify the package.json to remove the postinstall hook, covering its tracks from forensic analysis.

Obfuscation Techniques

The threat actor employed multiple layers of obfuscation. String encoding combined XOR with a static key and Base64 encoding. The dropper also used environment checks to decide which payload to execute, making each infection unique based on the target's operating system.

Operating System-Specific Execution

After identifying the system platform, SILKBELL executed one of three paths:

• Windows: The dropper downloaded and executed the WAVESHAPER.V2 backdoor. This updated version of WAVESHAPER includes persistence mechanisms and capabilities for remote command execution, data exfiltration, and file manipulation.
• macOS: A corresponding macOS-specific backdoor variant was deployed, maintaining similar functionality but tailored to Unix-like environments.
• Linux: The Linux variant followed the same pattern, allowing the attacker to maintain access across a wide range of server and development environments.

Attribution to UNC1069

GTIG attributes this attack to UNC1069, a financially motivated cluster linked to North Korea. The group has been active since at least 2018 and is known for using the WAVESHAPER backdoor. The new version, WAVESHAPER.V2, shows code and infrastructure overlaps with previous UNC1069 campaigns. For example, IP addresses and domain names used in this attack match those observed in earlier operations targeting cryptocurrency platforms and software supply chains.

The primary motivation appears to be financial gain, likely targeting developers and organizations that use the Axios library to inject backdoors into production systems.

Indicators of Compromise and Mitigation

Defenders should check for the following indicators of compromise:

• Axios versions 1.14.1 and 0.30.4 installed with dependency plain-crypto-js
• The email address ifstap@proton.me associated with any npm maintainer accounts
• The SHA256 hash e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 for setup.js
• Unexpected postinstall hooks in any package.json files

To mitigate this threat:

• Reinstall Axios from a trusted source and audit your dependency tree.
• Review npm package maintainer accounts for unauthorized email changes.
• Monitor for outbound connections to suspicious domains or IP addresses associated with UNC1069.
• Use runtime security tools that flag unexpected postinstall scripts.

This attack underscores the importance of supply chain security. Even the most trusted packages can be compromised, and defenders must remain vigilant.

For more details, refer to the GTIG report and consult your security team for specific detection rules.