North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

April 1, 2026, 7:29 p.m.

Description

Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

External References

https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/
https://otx.alienvault.com/pulse/69cd1d9aae74cc11b50ba18e
Tags
javascript
npm
axios
2026-04-01

Date

  • Created: April 1, 2026, 1:28 p.m.
  • Published: April 1, 2026, 1:28 p.m.
  • Modified: April 1, 2026, 7:29 p.m.

Indicators

  • ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
  • e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
  • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
  • 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
  • 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
  • f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
  • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
Download all indicators here!

Attack Patterns

  • UNC1069

Additional Informations

  • sfrclak.com