Exposure Window: If your team ran npm install or an automated build on March 31, 2026, between 00:21 and 03:30 UTC, your environment may be compromised. Scroll down to Remediation immediately.
Note: We are reviewing our scan data and internet telemetry to provide ongoing insights to customers. We will be updating this post with more information as we uncover it, to contribute to the broader cyber and threat intel community.
We are actively tracking a major, ongoing software supply chain compromise targeting axios, the widely used HTTP client library with over 100 million weekly downloads. By hijacking a primary maintainer's npm account, threat actors published malicious versions of the library that bypassed traditional security checks, exposing developer workstations and CI/CD environments globally. The full downstream effects are still being assessed.
This post synthesizes technical analysis from Google Threat Intelligence Group (GTIG), StepSecurity, Wiz, and Elastic Security Labs.
Attribution: North Korea-Nexus Threat Actor UNC1069
Based on infrastructure telemetry and historical overlaps with prior campaigns, GTIG attributes this attack to UNC1069, a financially motivated threat actor with North Korea nexus, active since at least 2018. Specific VPN nodes and adjacent hosting infrastructure link this campaign directly to earlier UNC1069 operations. The likely objectives are mass credential harvesting to facilitate downstream SaaS compromises, extortion, or cryptocurrency theft.
How the Attack Unfolded
This was not an opportunistic attack. It was a carefully staged, multi-step operation designed to evade automated security scanners.
Step 1 — Staging the Decoy The attacker, using a throwaway proton.me email address, published a clean package named [email protected] containing legitimate cryptographic code. This established a benign registry history to avoid "new package" detection flags.
Step 2 — Weaponization Eighteen hours later, the attacker updated the package to [email protected], introducing a malicious postinstall hook and a heavily obfuscated JavaScript dropper, tracked by GTIG as SILKBELL.
Step 3 — The Maintainer Account Hijack Threat actors gained access to the npm account of a lead axios maintainer, changed the account email to an attacker-controlled address, and manually published [email protected]. Within 40 minutes, they also published [email protected] to target the legacy branch and maximize exposure.
A key forensic indicator: legitimate axios releases use GitHub Actions with npm's OIDC Trusted Publisher mechanism. The malicious releases carry no OIDC binding, confirming they were published manually from an attacker-controlled CLI.
The npm security team removed the malicious packages approximately three hours after publication, but the window was sufficient to expose thousands of automated builds and developer installs.
The Malware: SILKBELL and WAVESHAPER.V2
SILKBELL is the dropper — the obfuscated script that executes on install and delivers the payload. WAVESHAPER.V2 is the persistent remote access trojan (RAT) it installs.
Notably, not a single line of the axios source code was modified. Instead, the attackers altered package.json to add [email protected] as a new runtime dependency. When a developer or CI/CD pipeline runs npm install, the package manager automatically resolves this dependency and executes SILKBELL's postinstall script.
SILKBELL checks the host OS and drops a platform-specific WAVESHAPER.V2 variant:
- Windows — PowerShell implementation
- macOS — Compiled Mach-O C++ binary
- Linux — Python implementation
All three variants share an identical C2 protocol, beaconing to sfrclak.com:8000 every 60 seconds. A consistent and reliable detection indicator across all platforms: each variant uses a spoofed Internet Explorer 8 User-Agent string (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)), which is highly anomalous on any modern operating system.
WAVESHAPER.V2 implements four core commands:
- kill — self-termination
- runscript — remote script execution
- peinject — binary payload delivery
- rundir — interactive filesystem browsing
Anti-Forensics
Once WAVESHAPER.V2 is deployed, SILKBELL performs a cleanup routine: it deletes its own installation script and replaces the malicious package.json with a clean decoy. Manual inspection of the node_modules folder will show no immediate signs of compromise, making post-incident detection significantly harder.
Impact
Wiz reports that axios is present in approximately 80% of cloud environments. Because the malicious scripts execute with the same permissions as the user or build process running npm install, WAVESHAPER.V2 is positioned to extract:
- Cloud provider credentials (AWS, Azure, GCP tokens)
- CI/CD pipeline secrets (GitHub Actions, Jenkins credentials)
- Local developer assets (.env files, SSH keys)
Organizations that installed the compromised versions during the exposure window should assume full compromise of affected environments.
Remediation
1. Identify Exposure and Clean Up
Audit your lockfiles (package-lock.json, yarn.lock, or pnpm-lock.yaml) for [email protected], [email protected], or plain-crypto-js.
- Downgrade: Pin axios to a known safe version (1.14.0 or 0.30.3).
- Hunt for IOCs: Scan network logs for outbound connections to sfrclak.com:8000, the IP 142.11.206.73, or the spoofed IE8 User-Agent string.
- Clean your cache: Run npm cache clean --force and reinstall dependencies in a clean environment.
2. Rotate Credentials Immediately
If there is any indication the malicious package executed, assume all credentials on that machine or pipeline are actively compromised. Rotate immediately:
- AWS access keys
- GitHub Actions tokens
- API keys and service account credentials
- SSH keys
- Local .env secrets
3. Long-Term Hardening
- npm ci --ignore-scripts: This flag prevents postinstall hooks from running automatically in build environments and should be standard practice in all CI/CD pipelines.
- Developer sandboxing: Isolate development environments in containers to restrict host filesystem access, limiting the blast radius of any future compromised package.
- Enforce OIDC provenance: Configure internal tooling to allow only packages with verified SLSA build attestations, flagging any manually published packages.
The axios compromise illustrates a core tension in the modern JavaScript ecosystem: npm install implicitly extends trust to every package in your entire dependency tree. Verifying provenance, restricting install-time script execution, and rotating credentials aggressively are the practical controls that reduce that risk.