Google Threat Intelligence Group (GTIG) is investigating a significant software supply chain attack targeting the popular Node Package Manager (NPM) package axios. Between March 31, 2026, 00:21 and 03:20 UTC, an attacker added a malicious dependency called plain-crypto-js to axios versions 1.14.1 and 0.30.4. Axios is widely used for simplifying HTTP requests, with these versions seeing over 100 million and 83 million weekly downloads, respectively. The malicious dependency acts as an obfuscated dropper, deploying the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux systems.
GTIG links this activity to UNC1069, a financially motivated North Korean threat actor active since at least 2018. This attribution is based on the use of WAVESHAPER.V2, an updated variant of a previously used backdoor. Analysis of the infrastructure involved in this attack shows similarities with past UNC1069 operations.
Campaign Overview
On March 31, 2026, GTIG detected the introduction of plain-crypto-js version 4.2.1 into the legitimate axios package. The maintainer's account was compromised, with the email changed to an attacker-controlled address ([email protected]). The threat actor exploited the postinstall hook in the package.json file to execute an obfuscated JavaScript dropper named setup.js silently upon installation.
Malware Analysis
The plain-crypto-js package serves as a delivery mechanism for the payload. The core component, setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), identifies the target operating system to deliver specific payloads. It employs a custom obfuscation method to hide command-and-control (C2) URLs and execution commands, dynamically loading necessary modules to avoid detection. After dropping the secondary payload, setup.js attempts to erase itself and restore the original package.json.
Operating System-Specific Execution Paths
Depending on the operating system, the dropper executes distinct routines:
Windows
The dropper seeks the powershell.exe binary, copying it to %PROGRAMDATA%\wt.exe to avoid detection. It downloads a PowerShell script via curl and executes it using the copied executable with hidden flags.
macOS
The malware uses bash and curl to download a Mach-O binary payload to /Library/Caches/com.apple.act.mond, modifies permissions, and executes it in the background.
Linux
The script downloads a Python backdoor to /tmp/ld.py.
WAVESHAPER.V2 Backdoor Capabilities
The payloads ultimately deploy WAVESHAPER.V2, a C++ backdoor that collects system information and executes additional commands. The malware communicates with the C2 endpoint over port 8000 every 60 seconds, sending Base64-encoded JSON data. It supports various commands, including:
kill: Terminates the malware's execution.rundir: Retrieves directory listings and metadata.runscript: Executes provided AppleScript payloads.peinject: Executes arbitrary binary payloads.
On Windows, it maintains persistence by creating a hidden batch file and modifying the registry to ensure it runs at login.
Remediation Steps
GTIG advises developers and organizations using axios to take immediate action:
- Version Control: Avoid upgrading to axios versions 1.14.1 or 0.30.4.
- Dependency Pinning: Pin axios to a known safe version in
package-lock.json. - Malicious Package Audit: Inspect project lockfiles for
plain-crypto-jsversions 4.2.0 or 4.2.1. - Incident Response: If
plain-crypto-jsis found, treat the environment as compromised and rotate credentials. - Network Defense: Block traffic to
sfrclak[.]comand the C2 IP142.11.206.73.
Indicators of Compromise (IOCs)
For those hunting this activity, GTIG has made IOCs available in a free GTI Collection.
