North Korean Hackers Linked to Axios Npm Supply Chain Compromise

Supply‑chain attacks have become a staple of state‑backed cyber operations, and the recent Axios incident reinforces that trend. Axios is a foundational library in the JavaScript ecosystem, often pulled in as a transitive dependency by millions of projects. By hijacking a maintainer’s npm credentials, the attackers introduced a minimal yet stealthy post‑install script that fetched the WAVESHAPER.V2 backdoor. This approach mirrors previous campaigns where threat actors embed malicious code in widely used open‑source components, leveraging the trust developers place in package registries to achieve rapid, low‑profile distribution.

Technical analysis reveals that WAVESHAPER.V2 is a versatile remote‑access trojan written in C++ for macOS, with PowerShell and Python variants for Windows and Linux. The backdoor connects to command‑and‑control servers hosted on infrastructure previously associated with UNC1069, a North Korean group active since 2018 and focused on cryptocurrency theft. The use of a short‑lived npm release—available for under three hours—demonstrates a “hit‑and‑run” strategy designed to slip past automated scanners while still reaching vulnerable CI/CD pipelines that automatically install the latest package versions. This incident also aligns with concurrent supply‑chain compromises attributed to TeamPCP (UNC6780), suggesting a coordinated effort to harvest credentials for downstream ransomware and extortion operations.

For enterprises, the Axios breach is a wake‑up call to harden software‑bill of materials (SBOM) processes and enforce strict verification of third‑party packages. Organizations should implement provenance checks, enforce signed package policies, and monitor for anomalous post‑install scripts in build environments. Rapid remediation—removing compromised versions, rotating npm credentials, and scanning for the WAVESHAPER payload—is essential to limit lateral movement. As supply‑chain threats continue to evolve, a proactive, layered defense strategy will be critical to safeguarding the modern software development lifecycle.