Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack

Overview

Between 00:21 and 03:20 UTC on 31 March 2026, two malicious versions of the axios npm package were published to the npm registry. Axios is the most widely used JavaScript HTTP client, with over 100 million weekly downloads. The threat actor behind the attack had compromised the npm account of the package's primary maintainer and used that access to introduce a hidden malicious dependency, plain-crypto-js@4.2.1, into axios releases 1.14.1 and 0.30.4. Any developer, automated build system, or CI/CD pipeline that ran npm install against either of those versions during the exposure window silently received a cross-platform remote access trojan.

Google Threat Intelligence Group has attributed the attack to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. The group is linked to BlueNoroff, a well-documented Lazarus Group subunit specialising in cryptocurrency theft and financial sector intrusion. The malware deployed in this campaign is WAVESHAPER.V2, an updated version of a backdoor previously observed in BlueNoroff's RustBucket operations. The internal project name macWebT found in the malware source maps directly to BlueNoroff's documented webT module, providing high-confidence attribution.

The malicious versions were removed from npm within approximately three hours of publication after StepSecurity detected the tampered packages and raised the alarm. Given axios's download velocity, even a three-hour exposure window is likely to have resulted in tens of thousands of compromised installs across developer workstations and build pipelines globally. Any system that installed either malicious version is at risk of persistent RAT access regardless of subsequent package updates, because the dropper installs a persistent implant before erasing evidence of its own execution.

This attack is one of the highest-impact npm supply chain compromises on record. Axios is a foundational dependency used across web applications, backend services, mobile apps, and DevOps toolchains. Affected sectors span finance, healthcare, government contracting, SaaS, and critical infrastructure software supply chains, making the remediation scope unusually wide.

Key Details

Delivery Method – Malicious npm package versions published via a compromised maintainer account, automatically executing a postinstall hook on any system running npm install

Target – Software developers, DevOps engineers, CI/CD pipelines, and any organisation with JavaScript-based projects using the axios HTTP library across macOS, Windows, and Linux

Functions

• Drops a platform-specific RAT binary on macOS (/Library/Caches/com.apple.act.mond), Windows (%PROGRAMDATA%\wt.exe), and Linux (/tmp/ld.py) by contacting a live C2 server at the time of installation
• Executes arbitrary shell commands and AppleScript files on compromised hosts via the runscript RAT command, giving the operator full remote code execution capability
• Deploys additional binaries through the peinject command, which performs ad-hoc code signing on macOS to bypass Gatekeeper and executes the resulting binary immediately
• Enumerates filesystem metadata from /Applications, ~/Library, and ~/Application Support directories via the rundir command, feeding reconnaissance data back to the operator
• Beacons to C2 infrastructure over port 8000 at 60-second intervals using Base64-encoded JSON, with a hardcoded legacy User-Agent string to blend into older proxy logs
• Establishes persistence on Windows by writing a download cradle to %PROGRAMDATA%\system.bat and adding a Registry Run key pointing to that batch script, ensuring the implant survives reboots
• Performs aggressive anti-forensic cleanup by deleting the postinstall script, replacing its own package.json with a clean decoy, and renaming internal files to conceal the execution chain

Obfuscation – setup.js uses two layers of obfuscation: reversed Base64 encoding with padding character substitution, followed by an XOR cipher using the key OrDeR_7077 with a constant of 333. These layers conceal the C2 URL and OS detection logic from static analysis tools.

Attack Vectors

The attack begins with the compromise of the npm account belonging to jasonsaayman, the primary maintainer of the axios package. The threat actor changed the account's registered email address to a Proton Mail address (ifstap[@]proton[.]me) under their control and then published two tampered releases to the npm registry: axios@1.14.1 and axios@0.30.4. Both versions appeared functionally identical to their legitimate predecessors but included a new undocumented dependency, plain-crypto-js@4.2.1, in their package.json manifests.

Stage 1 — Dependency Pull and Dropper Execution: When any developer or automated system runs npm install with either malicious version pinned or resolved, npm's dependency resolution fetches plain-crypto-js@4.2.1 and automatically executes its postinstall hook via node setup.js. The dropper decodes its obfuscated payload, performs OS fingerprinting, and selects the appropriate second-stage payload for the target platform.

Stage 2 — Platform-Specific RAT Deployment: The dropper contacts the C2 server at hxxp://sfrclak[.]com:8000/6202033 and downloads a platform-native implementation of the WAVESHAPER.V2 RAT. On macOS, the binary lands at /Library/Caches/com.apple.act.mond and is signed with ad-hoc code signing via codesign to bypass Gatekeeper. On Windows, the binary is written to %PROGRAMDATA%\wt.exe and a batch file at %PROGRAMDATA%\system.bat is created with a download cradle that refetches the implant on every login, supported by a corresponding Registry Run key for persistence. On Linux, the payload is written to /tmp/ld.py.

Stage 3 — C2 Beaconing and Command Execution: Once installed, the RAT beacons to the C2 at 60-second intervals using a hardcoded User-Agent string spoofing Internet Explorer 8 to blend into older proxy logs. The operator issues commands via one of four RAT modules: peinject for further payload delivery, runscript for arbitrary command execution, rundir for filesystem reconnaissance, and kill for self-termination. A second domain, callnrwise[.]com, was registered 53 minutes after sfrclak[.]com via Dynadot LLC on the same day. It resolves to the same IP address at 142.11.206[.]73 and is assessed as staging or fallback C2 infrastructure. An associated attacker-controlled account at nrwise[@]proton[.]me is linked to this second domain.

Stage 4 — Anti-Forensic Cleanup: After deploying the RAT, the dropper removes its own postinstall script from the installed package directory, overwrites its package.json with a clean version containing no postinstall reference, and renames internal files to eliminate traces of the execution chain. Subsequent inspections of the installed plain-crypto-js package show no obvious sign of malicious behaviour, making manual triage significantly harder for teams without runtime telemetry.

Known Indicators of Compromise

Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.

Malicious npm Package Hashes

C2 Domains

C2 IP Addresses

C2 URLs

Attacker Infrastructure Accounts

Malware File Paths by Platform

MITRE ATT&CK Techniques

Mitigation and Prevention

Audit Your npm Dependency Tree Immediately

Any project that resolved axios@1.14.1 or axios@0.30.4 during the exposure window (00:21 to 03:20 UTC on 31 March 2026) should be treated as compromised. Run npm ls axios across all repositories and CI configurations to identify affected versions, then downgrade to axios@1.14.0 or axios@0.30.3 at minimum and delete any installed plain-crypto-js package from your node_modules tree. Do not assume a subsequent npm install of a clean version will undo damage already caused by the postinstall hook.

Rotate All Secrets and Credentials on Affected Systems

Any system or build runner that installed the malicious versions should be treated as having an active RAT implant. Rotate all credentials, API keys, tokens, and secrets accessible from those environments immediately, regardless of whether forensic evidence confirms RAT execution. The dropper's cleanup routine is specifically designed to erase that evidence, so absence of forensic traces is not confirmation of a clean system. Pay particular attention to CI/CD service account credentials, cloud provider access keys, and code signing certificates.

Hunt for Persistence and RAT Binaries Across Your Fleet

Check for the presence of RAT file paths on all potentially affected endpoints: /Library/Caches/com.apple.act.mond on macOS, %PROGRAMDATA%\wt.exe and %PROGRAMDATA%\system.bat on Windows, and /tmp/ld.py on Linux. On Windows, audit Registry Run keys for any references to system.bat or wt.exe. Look for outbound HTTP traffic on port 8000 to sfrclak[.]com or callnrwise[.]com and inspect proxy logs for the hardcoded User-Agent string (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)), which should be anomalous in any modern environment.

Block C2 Infrastructure at the Network Perimeter

Add sfrclak[.]com, callnrwise[.]com, and 142.11.206[.]73 to your DNS blocklists, firewall deny rules, and SIEM detection rules immediately. If proxy logs show any historical outbound connections to port 8000 on these hosts, treat those source systems as compromised and initiate incident response. The C2 server went offline after the attack was reported, but blocking the infrastructure remains important in case the actor repurposes the same IPs for follow-on activity.

Enforce npm Account Security Controls on Published Packages

If your organisation publishes packages to npm, enable two-factor authentication on all maintainer accounts and configure npm Provenance to cryptographically link published packages to their source repository and CI pipeline. For internal dependency consumption, configure an npm mirror or private registry to prevent automatic resolution of tampered upstream packages and pin critical dependencies by exact version hash rather than semver range.

Treat Your CI/CD Pipeline as a Target Surface

Build runners, artefact caches, and dependency resolution environments are increasingly targeted by supply chain actors because compromising them can propagate malware across dozens or hundreds of downstream projects simultaneously. Review which secrets your CI systems have access to, apply least-privilege principles to build runner service accounts, and ensure runtime security tooling is active on build infrastructure and not just production workloads.

Implement Runtime Dependency Integrity Checking

Deploy tooling such as npm audit signatures, Sigstore, or a software composition analysis scanner integrated into your CI pipeline to detect unexpected new dependencies or package.json modifications before they execute. Tools that monitor postinstall script activity at runtime can catch dropper behaviour even when static analysis is defeated by obfuscation. Consider making package-lock.json or yarn.lock files mandatory and enforced in CI to prevent unexpected dependency resolution.

Risk Assessment

This attack represents one of the most strategically positioned npm supply chain compromises attempted to date. Axios is not a niche package. It is a direct dependency in hundreds of thousands of JavaScript projects and an indirect dependency in tens of millions more. During the three-hour exposure window, the attack had the potential to reach development workstations, CI/CD build runners, staging environments, and production containers across virtually every sector of the global software industry. Even a small percentage infection rate against a package of this download volume translates to thousands of compromised systems.

The attribution to UNC1069 and BlueNoroff shifts the risk calculus well beyond opportunistic credential theft. BlueNoroff has a well-documented history of pivoting from developer workstation access to financial system compromise, cryptocurrency theft, and persistent long-term access to high-value targets. WAVESHAPER.V2's peinject capability indicates the initial RAT is likely a staging implant rather than the final payload. Affected systems should be assessed under the assumption that further tooling may have been deployed in the hours between infection and package removal.

The obfuscation quality, anti-forensic cleanup behaviour, and cross-platform targeting framework point to a threat actor operating at a high level of sophistication with purpose-built infrastructure for this campaign. The 53-minute gap between the registration of the two C2 domains on the day of the attack points to operational precision rather than improvisation. Security teams should not wait for confirmed forensic evidence of RAT execution before initiating incident response, as the dropper's cleanup routine is specifically designed to prevent that confirmation.

Conclusion

Any organisation with JavaScript developers or npm-based build pipelines should treat this as an active incident requiring immediate triage rather than a routine advisory to file for later. The single most important action is to audit all environments for installations of axios@1.14.1 or axios@0.30.4, rotate credentials from any affected system, and hunt for WAVESHAPER.V2 file paths and C2 traffic indicators without waiting for alerts to surface organically.

This attack illustrates a deliberate and accelerating shift in North Korean offensive operations toward the software supply chain as a primary intrusion vector. Rather than targeting individual organisations through phishing or vulnerability exploitation, UNC1069 chose to compromise a single widely trusted open-source maintainer account and let the global developer community deliver the payload on their behalf. The playbook works precisely because package ecosystems are built on trust and automation, and that trust will be increasingly weaponised as long as credential hygiene and account security at the maintainer level remain inconsistent.

Sources

• StepSecurity – axios Compromised on npm: Malicious Versions Drop Remote Access Trojan (March 2026)
• Google Cloud Blog / GTIG – North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package (March 2026)
• Elastic Security Labs – Inside the Axios Supply Chain Compromise: One RAT to Rule Them All (March 2026)
• The Hacker News – Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account (March 2026)
• Axios.com – North Korean Hackers Implicated in Major Supply Chain Attack (March 2026)