top of page

Axios npm Supply Chain Attack: WAVESHAPER.V2 Backdoor Delivered via Compromised Package

April 8th, 2026

High

Our Cyber Threat Intelligence Unit is monitoring a software supply chain attack involving the npm package Axios, a widely used HTTP client library for JavaScript. Between March 31 and April 1, 2026, security researchers, including Socket, Unit 42, Elastic Security Labs, Huntress, Arctic Wolf, and Google Threat Intelligence Group (GTIG), disclosed that malicious versions 1.14.1 and 0.30.4 were published to the npm registry. These versions included a hidden dependency, plain-crypto-js, which delivered a cross-platform backdoor known as WAVESHAPER.V2, capable of running on Windows, Linux, and macOS. GTIG attributes this campaign to UNC1069, a financially motivated North Korea-linked threat actor, based on malware similarities and infrastructure ties to previous UNC1069 operations. Organizations using Axios in development or production environments should treat this as a high-priority supply chain risk. 

Technical Details

Vulnerability Type: Supply Chain Attack — Compromised npm Package

Severity: High

Affected Systems: npm ecosystem; developer machines; CI/CD pipelines; build environments

Threat Actor: UNC1069 (North Korea-nexus, financially motivated)

Affected Axios Versions:

Attack Chain:

  • Initial Access: The attacker compromised the npm account belonging to Axios maintainer jasonsaayman, changing the account's registered email to an attacker-controlled address ([email protected]).

    • This allowed unauthorized publication of malicious package versions directly to the npm registry.

    • No vulnerability in npm itself was exploited: The attack relied entirely on abuse of trusted maintainer credentials, with the attacker publishing via direct CLI rather than the project's established GitHub Actions OIDC workflow.

  • Weaponization: Malicious versions of Axios (1.14.1, 0.30.4) were uploaded to npm.

    • Both the latest and legacy release channels were poisoned within a 39-minute window.

      • These versions introduced a hidden dependency which served as the malware delivery vehicle: plain-crypto-js (v4.2.1)

      • An earlier version, [email protected], had been published 18 hours prior by the attacker as a clean decoy to build registry history and reduce suspicion.

  • Execution: Upon installation of the affected Axios versions via npm install, npm automatically resolves the dependency tree and installs plain-crypto-js, triggering its postinstall lifecycle hook.

    • This executes an obfuscated Node.js dropper script named setup.js (tracked by GTIG as SILKBELL) in the background without requiring any additional user interaction.

      • Execution does not occur at library runtime within an application; it occurs only at install time.

    • The dropper uses a two-layer encoding scheme to conceal its behavior: string reversal followed by Base64 decoding, then an XOR cipher using the key OrDeR_7077 with a position-dependent index.

  • Payload Delivery:

    • The dropper detects the target operating system and sends an HTTP POST request to the C2 server at http://sfrclak[.]com:8000/6202033 with a platform-specific request body to retrieve the appropriate second-stage payload.

    • The dropper deploys WAVESHAPER.V2, a cross-platform backdoor with the following platform-specific implementations:

      • macOS: AppleScript downloads a compiled C++ Mach-O binary to /Library/Caches/com.apple.act.mond, disguised as an Apple system daemon, and executes it silently via /bin/zsh.

      • Windows: The legitimate powershell.exe binary is copied to %PROGRAMDATA%\wt.exe, disguised as Windows Terminal. A VBScript wrapper downloads and executes a PowerShell RAT script (%TEMP%\6202033.ps1) with hidden window flags and execution policy bypass.

      • Linux: A Python RAT script is downloaded to /tmp/ld.py and launched via nohup python3 in the background.

  • WAVESHAPER.V2 capabilities observed across all platform variants include:

    • Remote command execution

    • File system enumeration

    • Binary payload injection and execution

  • Persistence: The malware creates a hidden batch file at %PROGRAMDATA%\system.bat and adds a registry Run key entry named MicrosoftUpdate under HKCU:\Software\Microsoft\Windows\CurrentVersion\Run to re-launch the implant at logon.

    • Observed samples indicate persistence is implemented on Windows, with no persistence mechanisms identified for macOS or Linux variants.

  • Command and Control (C2): WAVESHAPER.V2 beacons to http://sfrclak[.]com:8000 every 60 seconds via HTTP POST, transmitting Base64-encoded JSON data.

    • All platform variants use a hardcoded User-Agent string spoofing Internet Explorer 8 on Windows XP: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0).

      • This string is anomalous on any modern platform and serves as a reliable detection indicator.

    • The backdoor supports four operator commands:

      • kill: Self-terminate

      • runscript: Execute shell commands or scripts

      • peinject: Drop and execute binary payloads

      • rundir: Enumerate directory contents

  • Anti-Forensics:

    • Upon successful payload delivery, the dropper self-destructs by deleting setup.js, removing the malicious package.json (which contained the postinstall hook), and replacing it with a clean decoy file named package.md.

    • Post-incident inspection of the node_modules directory shows no trace of malicious code.

  • Post-Exploitation:

    • Theft of developer credentials, API keys, and tokens

    • Access to local files, repositories, and project data

    • Potential compromise of CI/CD environments

    • Risk of lateral movement into connected systems

Image by ThisisEngineering

Impact

Successful exploitation of this attack may result in:

  • Compromise of Developer Systems: Execution of WAVESHAPER.V2 on Windows, Linux, and macOS systems via the postinstall hook during dependency installation.

  • Credential Theft: Exposure of API keys, authentication tokens, SSH private keys, cloud credentials, and sensitive environment variables accessible on affected machines.

  • CI/CD Pipeline Compromise: Malicious code execution during automated build processes, with potential for secrets harvested from pipeline environments.

  • Unauthorized Access: Operator-directed access to source code, repositories, and internal systems via WAVESHAPER.V2's command execution and directory enumeration capabilities.

  • Supply Chain Risk: Downstream applications depending on Axios may be impacted. Projects using caret ranges (^1.14.0 or ^0.30.0) would have automatically resolved to compromised versions on the next npm install.

  • Operational and Business Impact: Service disruption, data exposure, and reputational damage.

Detection Method

Security teams should monitor for the following:

  • Node.js processes spawning unexpected child processes (e.g., cscript, curl, osascript, python3)

  • Execution of scripts from within node_modules directories

  • Suspicious activity during or immediately after npm install

  • Presence of affected package versions: [email protected], [email protected]

  • Presence of the malicious dependency: plain-crypto-js (v4.2.0, v4.2.1)

  • Detection of file system artifacts associated with WAVESHAPER.V2 (see IOC table)

  • Outbound HTTP POST requests to sfrclak[.]com on port 8000, or to IP 142.11.206.73

  • HTTP traffic containing the User-Agent string: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)

    • A hardcoded string used by WAVESHAPER.V2 across all platforms, highly anomalous on macOS or Linux hosts

  • Presence of %PROGRAMDATA%\wt.exe (a renamed copy of powershell.exe)

  • Registry Run key entry named MicrosoftUpdate under HKCU:\Software\Microsoft\Windows\CurrentVersion\Run

  • Unauthorized changes in package.json or package-lock.json

  • Access to sensitive environment variables during build stages

Indicators of Compromise

Malicious Packages 

Indicator Type 

Indicator 

Description 

npm Package 

axios v1.14.1 

Compromised release; tagged latest at time of discovery 

npm Package 

axios v0.30.4 

Compromised release; tagged legacy at time of discovery 

npm Package 

plain-crypto-js v4.2.0 

Clean decoy published to build registry history 

npm Package 

plain-crypto-js v4.2.1 

Malicious dropper; delivers WAVESHAPER.V2 via postinstall hook 

npm Package 

@shadanai/openclaw v2026.3.28-2 

Related package distributing same malware 

npm Package 

@shadanai/openclaw v2026.3.28-3 

Related package distributing same malware 

npm Package 

@shadanai/openclaw v2026.3.31-1 

Related package distributing same malware 

npm Package 

@shadanai/openclaw v2026.3.31-2 

Related package distributing same malware 

npm Package 

@qqbrowser/openclaw-qbot v0.0.130 

Related package shipping tampered [email protected] 

Network Indicators 

Indicator Type 

Indicator 

Description 

Domain 

sfrclak[.]com 

WAVESHAPER.V2 C2 domain 

Domain 

callnrwise[.]com 

Attacker-associated domain 

IP Address 

142.11.206.73 

WAVESHAPER.V2 C2 server 

IP Address 

23.254.167.216 

Suspected UNC1069 infrastructure (GTIG) 

File Hashes (SHA256) 

Indicator Type 

Indicator 

Description 

SHA256 

e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 

SILKBELL dropper (setup.js) 

SHA256 

fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf 

WAVESHAPER.V2 — Linux Python RAT (ld.py) 

SHA256 

92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 

WAVESHAPER.V2 — macOS Mach-O binary (com.apple.act.mond) 

SHA256 

617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 

WAVESHAPER.V2 — Windows Stage 1 (6202033.ps1) 

SHA256 

ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c 

N/A 

SHA256 

f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 

Windows persistence batch file (system.bat) 

SHA256 

58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668 

plain-crypto-js-4.2.1.tgz 

SHA256 

ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7 

Campaign-associated hash 

SHA256 

cdc05cd30eb53315dadb081a7b942bb876f0d252d20e8ed4d2f36be79ee691fa 

Campaign-associated hash 

SHA256 

8449341ddc3f7fcc2547639e21e704400ca6a8a6841ae74e57c04445b1276a10 

Campaign-associated hash 

SHA256 

01c9484abc948daa525516464785009d1e7a63ffd6012b9e85b56477acc3e624 

Campaign-associated hash 

SHA256 

7b47ed28e84437aee64ffe9770d315c1b984135105f7f608a8b9579517bc0695 

Campaign-associated hash 

SHA256 

526ab39d1f56732e4e926715aaa797feb13b1ae86882ec570a4d292e7fdc3699 

Campaign-associated hash 

SHA256 

a98e04dec3a7fe507eb30c72da808bad60bc14d9d80f9770ec99c438faa85a1a 

Campaign-associated hash 

SHA256 

0d83030ab8bfba675fc1661f0756b6770be7dd80b1b718de3d68a01f2e79a5f4 

Campaign-associated hash 

SHA256 

e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff 

Campaign-associated hash 

SHA256 

506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4 

Campaign-associated hash 

SHA256 

4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07 

Campaign-associated hash 

SHA256 

5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd 

Campaign-associated hash 

SHA256 

59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f 

Campaign-associated hash 

SHA256 

a224dd73b7ed33e0bf6a2ea340c8f8859dfa9ec5736afa8baea6225bf066b248 

Campaign-associated hash 

SHA256 

5e2ab672c3f98f21925bd26d9a9bba036b67d84fde0dfdbe2cf9b85b170cab71 

Campaign-associated hash 

SHA256 

20df0909a3a0ef26d74ae139763a380e49f77207aa1108d4640d8b6f14cab8ca 

Campaign-associated hash 

SHA256 

5b5fbc627502c5797d97b206b6dcf537889e6bea6d4e81a835e103e311690e22 

Campaign-associated hash 

SHA256 

9c64f1c7eba080b4e5ff17369ddcd00b9fe2d47dacdc61444b4cbfebb23a166c 

Campaign-associated hash 

File System Artifacts 

Indicator Type 

Indicator 

Description 

File Path 

/Library/Caches/com.apple.act.mond 

macOS WAVESHAPER.V2 Mach-O binary; disguised as Apple system daemon 

File Path 

%PROGRAMDATA%\wt.exe 

Windows: renamed copy of powershell.exe; disguised as Windows Terminal 

File Path 

%TEMP%\6202033.ps1 

Windows PowerShell RAT payload (transient; self-deletes) 

File Path 

%TEMP%\6202033.vbs 

Windows VBScript launcher (transient; self-deletes) 

File Path 

%PROGRAMDATA%\system.bat 

Windows persistence batch file (hidden) 

File Path 

/tmp/ld.py 

Linux Python RAT payload 

Attacker Accounts 

Indicator Type 

Indicator 

Description 

Email 

ifstap@proton[.]me 

Email set on compromised jasonsaayman npm account 

Email 

nrwise@proton[.]me 

Attacker-created npm account that published plain-crypto-js 


mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Assess Exposure: Identify all systems and applications using Axios.

    • Verify installed versions and dependency trees for affected versions (1.14.1, 0.30.4).

    • Inspect lockfiles specifically for the presence of plain-crypto-js (v4.2.0, v4.2.1).

  • Remove Malicious Versions and Downgrade: Immediately remove the affected Axios versions and downgrade to the last known safe versions: [email protected] or [email protected].

    • Pin these versions in package-lock.json to prevent accidental upgrades.

  • Assume Compromise if IOCs Are Found: If plain-crypto-js or any WAVESHAPER.V2 file artifacts are detected on a system, treat that environment as fully compromised.

    • Do not attempt in-place cleanup.

    • Rebuild from a known-good state.

  • Rotate All Credentials: Assume all secrets accessible on affected machines have been exfiltrated and immediately rotate:

    • npm tokens, AWS access keys, SSH private keys, cloud environment credentials (GCP, Azure), CI/CD secrets, and any values stored in .env files.

  • Inspect Developer and Build Environments:

    • Review developer machines and CI/CD pipeline logs for signs of compromise.

    • Check for the platform-specific indicators of compromise (IOCs).

    • Audit automated build logs to determine whether affected Axios versions were installed during recent runs.

  • Block C2 Infrastructure:

    • Block all outbound traffic to sfrclak[.]com, callnrwise[.]com, and the IP addresses 142.11.206.73 and 23.254.167.216.

    • Monitor for anomalous outbound connections on port 8000 and HTTP POST beaconing behavior.

  • Strengthen Access Security:

    • Enable multi-factor authentication on npm accounts and restrict access to package publishing.

    • Review CI/CD pipelines for long-lived tokens and replace with short-lived, scoped credentials.

  • Harden Dependency Management:

    • Use the --ignore-scripts flag during CI/CD installations to prevent postinstall hooks from executing during automated builds.

      • Use lockfiles to enforce dependency pinning and validate package integrity before installation.

  • Enhance Monitoring:

    • Monitor for the IE8/Windows XP User-Agent string (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)) in network logs.

    • Deploy EDR on developer workstations and build servers to detect suspicious Node.js child processes.

Conclusion

The Axios npm supply chain compromise highlights the significant risk posed by the compromise of a trusted open-source maintainer account. By injecting the SILKBELL dropper into two Axios release branches simultaneously, the UNC1069 threat actor gained a delivery mechanism capable of reaching millions of environments. The resulting WAVESHAPER.V2 backdoor, deployed across Windows, macOS, and Linux, provides full remote access, including command execution, filesystem enumeration, and binary payload injection. Organizations should treat any confirmed installation of the affected Axios versions as a high-severity incident and take immediate action to contain the threat, rotate credentials, and rebuild affected environments.

bottom of page