On March 31, a North Korea-nexus threat actor (UNC1069) compromised the axios npm package, one of the most widely used JavaScript libraries with over 100 million weekly downloads. The attacker published two malicious versions (1.14.1 and 0.30.4) containing a cross-platform remote access trojan tracked as WAVESHAPER.V2, targeting macOS, Windows and Linux developer environments. The malicious versions were live on the npm registry for approximately three hours before being removed. 

Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on malware lineage and infrastructure overlaps.

Systems that installed the affected versions are considered fully compromised. Developers are advised to downgrade to axios@1.14.0 or 0.30.3, remove the phantom dependency (plain-crypto-js), rotate all secrets and rebuild affected systems.

For more information about this supply chain attack, including IoCs, remediation guidance and Tenable product coverage, please visit our blog.