A sophisticated software supply chain attack has compromised the widely used axios NPM package, leading to the distribution of the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems. Released in versions 1.14.1 and 0.30.4, the poisoned package exploited the installation process to deliver malware, impacting numerous developers and downstream applications.
The incident, identified by Google Cloud researchers and attributed to a North Korea-nexus threat actor known as UNC1069, highlights the pervasive risks within the open-source software ecosystem. The attack leveraged a malicious dependency, plain-crypto-js, to establish a foothold on victim machines. The widespread adoption of the axios library means that potentially millions of developers and systems could be at risk.
How the Axios Package Infection Unfolded
According to Google Cloud’s analysis, threat actors gained unauthorized access to the axios maintainer account. They subsequently altered the associated email address and injected a malicious version of the plain-crypto-js library, specifically version 4.2.1, into the compromised axios package. This manipulation went unnoticed during the normal development and update cycles of the JavaScript ecosystem.
The method of infection was particularly insidious. Instead of relying on traditional phishing tactics, the attackers utilized a postinstall script within the npm installation process. This meant that the malicious code, disguised as a setup script (setup.js), executed automatically in the background as soon as the tainted axios package was installed. This bypasses the need for user interaction, significantly increasing the attack’s effectiveness.
The Cross-Platform Malware Delivery
The initial dropper script, also tracked by Google Threat Intelligence Group (GTIG) as SILKBELL, was designed to detect the user’s operating system and deploy a tailored payload. For Windows systems, the script sought out powershell.exe, duplicated it to evade detection, and then downloaded a further PowerShell stage using curl. This stage was executed with hidden parameters and an overridden execution policy, enabling it to run without explicit user permission.
On macOS, the infection chain involved Bash and curl to place a Mach-O executable in the /Library/Caches/com.apple.act.mond directory. File permissions were adjusted, and the malware was then launched using zsh. For Linux environments, the process involved downloading a Python backdoor to the /tmp/ld.py location.
To further conceal its presence, the setup.js dropper attempted to erase itself after successfully deploying the next stage of the attack. It also reportedly attempted to restore the altered package.json file from a stored copy, a tactic aimed at hindering forensic investigations.
The ultimate payload, WAVESHAPER.V2, a backdoor malware, established communication with its command-and-control (C2) servers every 60 seconds. This communication occurred over port 8000, utilizing Base64-encoded JSON and a hard-coded user-agent string for identification.
Capabilities of the WAVESHAPER.V2 Backdoor
The WAVESHAPER.V2 backdoor grants the UNC1069 threat group extensive capabilities. GTIG reports that the malware can gather detailed system information, enumerate files and directories, execute arbitrary scripts, deploy additional malicious payloads, and await further instructions from its C2 server. On Windows, the malware also employs persistence techniques by creating a hidden batch file and adding an entry to the current user’s Run registry key under the MicrosoftUpdate name, ensuring its automatic execution upon system startup.
Mitigation and Defense Strategies
For organizations and developers, the immediate response to this attack should focus on package management and host containment. Google recommends avoiding axios versions 1.14.1 and 0.30.4. Instead, projects should be pinned to known-good releases, such as version 1.14.0 or earlier, and 0.30.3 or earlier. Developers should also meticulously check their lock files for any instances of plain-crypto-js versions 4.2.0 or 4.2.1.
Any system that installed the compromised dependency should be treated as potentially compromised. This necessitates rebuilding affected systems or reverting them to a known-good state. Furthermore, a comprehensive rotation of all credentials, including tokens and API keys, that may have been present on the affected host is strongly advised.
Teams managing CI/CD pipelines should temporarily halt affected automated build and deployment jobs. Clearing npm, yarn, and pnpm caches is crucial to prevent future infections from cached malicious packages. Network defenses should be updated to block traffic to the identified C2 domains and IP addresses, namely sfrclak[.]com and 142.11.206.73.
Beyond these immediate steps, security teams should remain vigilant for suspicious child processes originating from Node.js applications, as this could indicate further compromise. The broader implication of this incident underscores the critical need for continuous assessment of the security posture of all utilized open-source dependencies.
The attack on the axios package demonstrates how trusted open-source components can be weaponized with alarming ease. As axios is a foundational library in many projects, organizations must not only scrutinize their direct dependencies but also assess their inherited exposure through complex dependency trees, internal development tools, and production services.
The presence of plain-crypto-js in a project’s dependency list should be treated as a significant indicator of potential compromise, raising concerns that the malware may have spread beyond the initial infected machine. Validating adjacent systems for related malicious activity is therefore paramount. In cybersecurity incidents of this nature, rapid containment is essential to limit the potential for subsequent exploitation and damage.