Targeted Supply Chain Compromise of Axios NPM Distribution (UNC1069)

While routine CI/CD pipelines ran and developer machines updated their dependencies, a state-sponsored actor had already poisoned one of the most trusted libraries in modern software. The Axios compromise was not a test; it was a pre-positioned strike against the infrastructure of the internet itself.

This report details the technical mechanics, adversary profile, and remediation guidance for the Axios npm supply chain compromise of March 31, 2026. The attack window lasted just under three hours; exposure occurred in an estimated 3% of affected environments. Organizations that run npm install or trigger CI/CD pipelines within that window must assume full environment compromise.  

On March 31, 2026, the global software supply chain experienced a high-criticality event involving the compromise of the Axios npm package, a ubiquitous JavaScript HTTP client, with 100 million weekly downloads, present in approximately 80% of cloud environments. The actor published malicious versions 1.14.1 and 0.30.4, embedding the WAVESHAPER.V2 Remote Access Trojan via a multi-stage dropper named SILKBELL. The campaign is attributed with high confidence to UNC1069, a North Korea-nexus actor targeting cloud credentials, SSH keys, and Kubernetes tokens for long-term espionage. The exposure window was 00:21–03:20 UTC. Organizations that installed the affected versions during that period must treat their environment as fully compromised.

The Attack That Moved Faster Than Defenders Could React

Supply chain attacks targeting pervasive libraries are a force multiplier for state-sponsored actors. By poisoning root dependency, adversaries bypass perimeter defenses and land inside developer workstations, CI/CD runners, and production build environments in a single stroke. 

Axios is not a niche library. It is foundational JavaScript infrastructure; an HTTP client downloaded over 100 million times per week and present in approximately 80% of cloud environments. Compromising its distribution channel was a calculated choice: maximum blast radius, minimum effort. 

The attacker also demonstrated a horizontal spread. Researchers identified secondary poisoned packages, @shadanai/openclaw and @qqbrowser/openclaw-qbot, that bundled the malicious Axios versions, extending the campaign’s reach beyond direct Axios consumers. 

Adversary Operations Group Analyst Note: The C2 URL path /6202033 is the attack date (3-30-2026) reversed, a signature Easter egg frequently observed in sophisticated APT campaigns to mark campaign iterations. This level of deliberate craft is consistent with UNC1069’s known tradecraft. 

Incident Timeline (UTC), March 30–31, 2026 

Technical Analysis: The Multi-Stage Infection Chain

The compromise succeeded despite the Axios project’s use of OIDC (OpenID Connect) Trusted Publishing. The attacker exploited a critical fallback vulnerability: while the GitHub Actions workflow was configured for OIDC, it still passed a long-lived NPM_TOKEN environment variable. npm defaults to the token if present, allowing the actor, who had stolen this secret, to bypass OIDC provenance entirely. 

The actor also performed a full account takeover (ATO), changing the maintainer’s registered email to ifstap@proton.me to lock out the legitimate developer before publishing. 

Stage 1: SILKBELL (setup.js), Dropper Logic 

The plain-crypto-js dependency triggered a post-install hook that executed setup.js. SILKBELL employed a two-layer obfuscation scheme: string reversal combined with Base64 encoding, and an XOR cipher using a position-dependent index formula (7 × i² % 10) keyed to OrDeR_7077. 

To evade forensic analysis, SILKBELL performed a manifest swap, replacing the malicious package.json with a clean decoy (package.md), then deleted itself via fs.unlink immediately after staging the second-stage payload. From npm install to full system compromise: approximately 15 seconds. 

Stage 2: Platform-Specific Delivery 

The dropper identified the host OS and pulled the appropriate payload from sfrclak[.]com:8000/6202033. Each delivery path was tailored to exploit native OS trust mechanisms: 

• Windows: VBScript downloads the second stage via curl. PowerShell is copied to %PROGRAMDATA%\wt.exe, masquerading as Windows Terminal, to bypass process monitoring. The .ps1 RAT is then executed. 
• macOS: A Mach-O Universal Binary is dropped to /Library/Caches/com.apple.act.mond. osascript executes AppleScript for execution and persistence. 
• Linux: A Python-based binary is dropped to a hidden file in /tmp/ using a random 6-character string (e.g., /tmp/.XXXXXX). 

Malware Deep Dive: WAVESHAPER.V2

WAVESHAPER.V2 is a unified cross-platform implant. While implemented in different languages for per-OS compatibility, the operational logic, beaconing, session management, command set, and C2 transport, is identical across all platforms. 

Platform Implementation 

Core RAT capabilities:

• Beaconing: Hardcoded 60-second heartbeat cadence to C2. 
• Session Management: Generates a 16-character random alphanumeric session UID per execution. 
• C2 Transport: HTTP POST with base64-encoded JSON bodies. 
• Command Set: kill (termination), rundir (directory enumeration), runscript (arbitrary script execution), peinject (drop and execute additional binaries). 
• High-Fidelity Indicator: All platforms use the anachronistic User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0). 

The macOS variant’s ability to self-sign injected payloads via the native codesign utility indicates a sophisticated understanding of OS-level trust controls. This technique is specifically designed to bypass Gatekeeper-style protections, allowing arbitrary code to appear as legitimately signed software. This capability marks a meaningful step forward in WAVESHAPER’s evasion sophistication.

Adversary Profile: UNC1069 (North Korea-Nexus)

Thrive’s Advesary Operations Group (AOG) within the Cybersecurity Incident Response Team (CIRT) attributes this campaign with High Confidence to UNC1069, a North Korea-nexus actor. Attribution rests on two pillars: the evolution of the WAVESHAPER backdoor (originally C++ for macOS/Linux, now expanded to a unified cross-platform JSON protocol) and infrastructure overlaps linking the C2 domain sfrclak[.]com to AstrillVPN nodes and specific IP ranges previously reserved for UNC1069 espionage operations. 

UNC1069’s defining operational characteristic is its focus on silent credential harvesting and long-term access over immediate destruction or extortion. The stealthy self-cleanup of the Axios payloads, deleting the dropper and swapping the manifest, is consistent with this doctrine. 

 AOG Analyst Note, UNC1069 vs UNC6780 (TeamPCP): While this incident occurred near the same timeframe as campaigns by UNC6780 (TeamPCP), Thrive’s AOG distinguishes between the two. TeamPCP focuses on immediate extortion and CanisterWorm deployments. UNC1069 prioritizes silent credential harvesting and long-term access, evidenced here by the stealthy self-cleanup and the absence of ransomware or extortion demands. 

Risk Assessment: Impact and Likelihood

The systemic risk of this incident is extreme. The 15-second window between npm install and full system compromise renders manual intervention impossible. If the affected versions were present in your environment during the exposure window, assume total compromise of every secret accessible to those processes. 

Primary Impact Vectors 

• Developer Workstations: Direct exfiltration of source code, SSH keys, and local secrets from engineer machines. 
• CI/CD Pipelines: Compromise of environment variables, build secrets, cloud provider credentials, and signing keys embedded in runners. 
• Production Containers: Images built during the 3-hour window using npm install (ignoring lockfiles) may have the RAT baked into actively running production environments. 

Secret Harvesting Targets 

UNC1069’s primary objective in this campaign was the collection of secret data.

Detection and Mitigation Recommendations

Countering this campaign requires action across two horizons: immediate remediation for environments that may have been exposed and structural hardening to prevent recurrence. 

Immediate Remediation 

1. Lockfile and Image Auditing: Scan all package-lock.json files and running container images for axios@1.14.1 or axios@0.30.4. Use grype or syft for container inspection. Images built during the 3-hour window using npm install (ignoring lockfiles) likely have the RAT baked in. 
2. Secret Rotation: Assume total compromise of any secret present in any environment where the affected versions are executed. Rotate cloud tokens (AWS, Azure, GCP), SSH keys, database credentials, and API tokens without exception. 
3. Cache Purge: Clear all local and shared npm, yarn, and pnpm caches to prevent accidental re-infection from cached malicious artifacts. 
4. Log Auditing: Search network logs for HTTP POST requests to the URI /6202033, bearing the User-Agent string mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0), and JSON body prefixes such as packages.npm.org/product1. 

Hardening Measures 

• Migrate Secrets: Use aws-vault or equivalent tools to move plaintext secrets from .env files into the OS keychain. 
• Enforce OIDC-Only: Revoke all long-lived npm tokens. Mandate OIDC Trusted Publishing without legacy token fallback. The fallback mechanism was the precise vulnerability exploited in this campaign. 
• Network Filtering: Implement strict egress monitoring for CI/CD runners, blocking non-standard ports (e.g., 8000) and unknown external IPs. 
• Runtime Visibility: Extend EDR monitoring to cover Deno and non-standard JavaScript runtimes, a hardening lesson drawn from parallel Seedworm campaigns now relevant across the threat landscape.

Indicators of Compromise (IOCs)

Immediate Action Required: Ingest all indicators below into your SIEM and Threat Intelligence Platform immediately. Any network traffic to the C2 infrastructure or matching the IE8 User-Agent string must be treated as a critical, high-priority escalation requiring immediate incident response.

File Hashes (SHA-256 / SHA-1) 

Network Indicators 

Host-Based Artifacts 

MITRE ATT&CK Mapping

Analyst Comment: The Identity-Only Trust Model Is Broken

The Axios compromise is a definitive case study in the failure of the “identity-only” trust model. While the industry has pushed for multi-factor authentication as a panacea, this incident proves that MFA on login is irrelevant if long-lived tokens remain active and unrotated. The adversary bypassed modern OIDC protections precisely because the ecosystem permitted a legacy token fallback. Thrive AOG maintains High Confidence that UNC1069 retains an unknown quantity of exfiltrated secrets from this campaign, which will likely fuel secondary breaches throughout the 2026 fiscal year. We strongly advise clients to move toward a “Zero-Trust Dependency” architecture where third-party packages are treated as untrusted code by default, regardless of the maintainer’s reputation. The next supply chain event is not a matter of if, but when.