On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript’s most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea’s Lazarus Group, and the scale of the fallout is considerably larger than initially understood.
The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.
Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.
npm is the world’s largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.
How the Attack Was Staged
Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.
The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system’s operating system and delivers platform-specific payloads.
On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user’s Temp directory.
On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.
After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.
The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG’s attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.
All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.
The Blast Radius
The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.
Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.
He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.
GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.
Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.
What Defenders Should Do Now
Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.
Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.
