Google Threat Intelligence Group (GTIG) has identified a significant software supply chain attack targeting the widely used JavaScript library axios. The North Korea-nexus threat actor UNC1069 compromised the NPM registry to insert a malicious dependency, plain-crypto-js, into axios versions 1.14.1 and 0.30.4. This dependency utilizes a postinstall hook to silently execute an obfuscated dropper, which subsequently deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux environments.
WAVESHAPER.V2 is a sophisticated remote access trojan (RAT) that enables attackers to execute arbitrary shell commands, perform file system enumeration, and conduct in-memory process injection. The campaign leverages compromised maintainer accounts and mimics legitimate system binaries to evade detection. Given that axios serves over 180 million weekly downloads, the potential for downstream impact on enterprise software and SaaS environments is substantial. Defenders are urged to audit their dependency trees, pin axios to safe versions (1.14.0 or 0.30.3 and earlier), and block identified command-and-control infrastructure.
Top comments (0)