惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
大猫的无限游戏
大猫的无限游戏
爱范儿
爱范儿
Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Register - Security
The Register - Security
IT之家
IT之家
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
I
InfoQ
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
M
MIT News - Artificial intelligence
博客园 - Franky
C
Check Point Blog
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Tailwind CSS Blog
Recent Announcements
Recent Announcements
云风的 BLOG
云风的 BLOG
美团技术团队
The Cloudflare Blog
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
The GitHub Blog
The GitHub Blog
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
V
V2EX
aimingoo的专栏
aimingoo的专栏
GbyAI
GbyAI
G
Google Developers Blog
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
罗磊的独立博客
量子位
MongoDB | Blog
MongoDB | Blog
Last Week in AI
Last Week in AI
Stack Overflow Blog
Stack Overflow Blog
小众软件
小众软件
D
Docker
人人都是产品经理
人人都是产品经理

Tenable Blog

SharePoint CVEs FAQ: CVE-2026-56164, CVE-2026-32201, CVE-2026-45659 | Tenable® Build agentic AI security at Tenable Swarm, Black Hat 2026 SonicWall CVE-2026-15409 and CVE-2026-15410 zero-day exploited | Tenable® Understanding Anthropic’s new AI agent Claude Tag’s access model in Slack 5 reasons to integrate AppSec data with your exposure management platform July 2026 Patch Tuesday: Largest Patch Tuesday 569 CVEs FedRAMP High, IL5, and zero trust: How federal agencies can secure cloud environments OMB M-26-14: Why federal agencies must fix asset visibility first CISO’s guide to CISA BOD 26-04 and risk-based security metrics for vulnerability management How much cyber risk does AI create for organizations? 457 million security issues. Here’s what you can do about it. The Developer Credential Economy: An inside look at the Miasma worm campaign Oracle Critical Security Patch Update June 2026 | Tenable® How Tenable helps federal agencies comply with CISA BOD 26-04 Get critical cyber risk context: Understanding control validation, CTEM & Tenable One CISA BOD 26-04: Frequently asked questions about the new risk-based patching directive Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507) The June 2026 AI Executive Order: What federal agencies need to know and how Tenable can help Tenable joins Anthropic’s Project Glasswing to advance AI-era cyber defense Tenable CTO Vlad Korsunsky Q&A: Countering AI threat multipliers with AI-powered exposure management | Tenable CTO Q&A: C-suite views AI as massive threat, as cyber teams adopt exposure management to counter AI attacks Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs Download pumping: New npm deception technique for supply chain attacks Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect EXPOSURE 2026 prepares cybersecurity professionals for the AI era Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004) Tenable One deepens third-party integrations with new Open Connector for unified risk visibility Implement agentic AI in cybersecurity with Tenable Hexa AI: Reduce cyber risk at machine speed Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182) Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assets Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation Securing data centers in the agentic AI era Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103) Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chain Why the approaching flood of vulnerabilities changes everything — and what to do about it The AI-vs-AI battle is already happening. Watch it live at EXPOSURE 2026. Anthropic’s CEO warns the “moment of danger” is real. But most are looking in the wrong place. Security for AI: A strategic framework for closing the AI exposure gap Vulnerability remediation: Match CVEs to asset owners in seconds with Tenable Hexa AI Bridging the gap: How to integrate Claude Security into the Tenable One Exposure Management Platform Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerability Mastering agentic AI security through exposure management As the NVD scales back CVE enrichment, here’s what Tenable customers need to know Five steps to become Mythos ready Oracle April 2026 Critical Patch Update Addresses 241 CVEs Beating the Mythos clock: Using Tenable Hexa AI custom agents for automated patching Unlocking foundational visibility for cyber-physical systems with OT vulnerability management Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201) Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild The developer credential economy: Why exposure data is the new front line in the supply chain war Supply chain attack on Axios npm package: Scope, impact, and remediations What’s new in Tenable Cloud Security: Custom policies, AWS ABAC, and research-driven protection Uncover prompt injection, insider threats with the Tenable One Model Refusal Detection Security for AI: A guide to managing the risks of vibe coding and AI in software development Meet Tenable Hexa AI: Agentic AI for exposure management
Frequently Asked Questions About the Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069
2026-04-01 · via Tenable Blog

A North Korea-nexus threat actor compromised the widely used axios npm package, delivering a cross-platform remote access trojan to potentially millions of developer environments during a three-hour window on March 31.

Key takeaways:

  1. The axios npm package, which has over 100 million weekly downloads, was compromised in a supply chain attack attributed by Google Threat Intelligence Group (GTIG) to UNC1069, a financially motivated North Korea-nexus threat actor.
     
  2. Malicious versions 1.14.1 and 0.30.4 were live on the npm registry for approximately three hours and delivered the WAVESHAPER.V2 backdoor to macOS, Windows and Linux systems.
     
  3. The malicious versions have been removed from npm, and developers who installed them are advised to treat affected systems as fully compromised, rotate all credentials and rebuild from clean snapshots.
     

Background

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a supply chain attack against the axios npm package.

FAQ

What happened to the axios npm package?

On March 31, 2026, an attacker published two malicious versions of the axios npm package, versions 1.14.1 and 0.30.4, to the npm registry. The attacker had compromised the maintainer account associated with the package and injected a malicious dependency called "plain-crypto-js" that served as a delivery vehicle for a cross-platform remote access trojan (RAT). The malicious versions were live on the npm registry for approximately three hours before they were identified and removed.

See how recent supply chain attacks are creating a black market for highly privileged developer credentials

How popular is the axios npm package?

Axios is one of the most widely used JavaScript libraries, used to simplify HTTP requests. The 1.x branch typically has over 100 million weekly downloads, and the 0.x branch has over 83 million.

How was the axios maintainer account compromised?

According to analysis by StepSecurity and Google Threat Intelligence Group (GTIG), the attacker compromised the npm account belonging to @jasonsaayman and changed the associated email address to an attacker-controlled address ([email protected]).

The attacker used a long-lived classic npm access token to publish the malicious versions, bypassing the GitHub Actions OIDC workflow used for legitimate releases. Legitimate axios releases show a trusted publisher binding to GitHub Actions with a corresponding GitHub commit and tag. The malicious versions lacked this entirely, providing one of the clearest signals that the release was unauthorized.

What is the malicious dependency and how does it work?

The attacker published a purpose-built malicious package called [email protected] to npm approximately 22 minutes before publishing the first malicious axios version. A clean decoy version (4.2.0) was published roughly 18 hours earlier. The only change to the axios package itself was the addition of plain-crypto-js as a dependency in package.json. The package is never imported or referenced in axios source code.

When npm installs the compromised axios version, the plain-crypto-js package's postinstall hook executes an obfuscated JavaScript file called setup.js, which GTIG tracks as SILKBELL. This dropper uses a two-layer encoding scheme combining reversed Base64 and XOR cipher (key: "OrDeR_7077", constant: 333) to conceal its command-and-control (C2) URL and execution commands. It dynamically loads Node.js modules (fs, os, execSync) to evade static analysis.

After deploying the platform-specific payload, the dropper performs anti-forensic cleanup: it deletes itself, deletes the malicious package.json, and renames a clean stub file (package.md) to package.json, leaving a completely clean manifest upon post-infection inspection.

What malware does the attack deliver?

GTIG tracks the platform-specific payloads as WAVESHAPER.V2, an updated version of the WAVESHAPER backdoor previously attributed to UNC1069. WAVESHAPER.V2 variants exist for macOS (native C++ binary), Windows (PowerShell) and Linux (Python).

On macOS, the dropper downloads a Mach-O binary to /Library/Caches/com.apple.act.mond, disguised as an Apple system cache file.

On Windows, it copies the legitimate PowerShell executable to %PROGRAMDATA%\wt.exe (disguised as Windows Terminal) and uses a VBScript launcher to execute a downloaded PowerShell script with hidden execution and policy bypass flags. Windows persistence is achieved through a hidden batch file (%PROGRAMDATA%\system.bat) and a registry run key (HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) named "MicrosoftUpdate."

On Linux, a Python RAT is downloaded to /tmp/ld.py and launched via nohup.

Regardless of platform, WAVESHAPER.V2 beacons to the C2 server every 60 seconds using Base64-encoded JSON and a hardcoded User-Agent string spoofing Internet Explorer 8 on Windows XP. The backdoor supports commands including:

  • kill (terminate)
  • rundir (filesystem enumeration)
  • runscript (execute AppleScript)
  • peinject (binary injection).

Who is behind this attack?

GTIG attributed this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. The group has previously been tracked as both CryptoCore and MASAN by ClearSky (2020) and GTIG (2025), respectively. The attribution is based on the use of WAVESHAPER.V2 (a direct evolution of the WAVESHAPER backdoor previously attributed to UNC1069), infrastructure overlaps (connections from a specific AstrillVPN node previously used by UNC1069) and adjacent infrastructure on the same ASN historically linked to UNC1069 operations.

How quickly was the compromise detected?

Socket.dev's automated malware scanner detected the compromise within approximately six minutes of the first malicious version being published. Both malicious axios versions were removed from the npm registry approximately three hours after publication.

Time (UTC)Event
March 30, 05:57[email protected] (clean decoy) published
March 30, 23:59[email protected] (malicious) published with postinstall hook
March 31, 00:05Socket automated scanner detects compromise (~6 min)
March 31, 00:21[email protected] published
March 31, 01:00[email protected] published
March 31, 01:50Elastic Security Labs files GitHub Security Advisory to Axios repo
March 31, ~03:15npm unpublishes both malicious axios versions
March 31, 03:25npm initiates security hold on plain-crypto-js
March 31, 04:26Security stub replaces malicious package

How widespread is the potential impact?

With over 100 million weekly downloads across both branches, the blast radius of a three-hour compromise window is significant. StepSecurity reported that its Harden-Runner tool detected anomalous C2 contact in over 12,000 projects. Hundreds of other npm packages depend on axios, amplifying the downstream exposure.

GTIG cautioned that "hundreds of thousands of stolen secrets could potentially be circulating" as a result of this and other recent supply chain attacks, potentially enabling further software supply chain compromises, SaaS environment breaches, ransomware events and cryptocurrency theft.

Are there indicators of compromise (IoCs)?

Yes. GTIG published a comprehensive set of IoCs in their blog post as well as Socket.dev in addition to GTIG’s free GTI Collection for registered users. Types of IoCs available include network indicators (C2 domain and IPs), file hashes (SHA256 for all platform-specific payloads and the dropper), file system artifacts by platform, YARA rules for retrospective hunting and Google Security Operations detection rules.

Key network indicators to block: sfrclak[.]com and 142.11.206.73 (port 8000).

Is this related to other recent supply chain attacks?

This attack is one of several recent open-source supply chain compromises attributed to North Korea-nexus actors. GTIG noted that UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations. While UNC1069 and UNC6780 are tracked as separate threat actors, the pattern of North Korea-nexus groups targeting open-source package ecosystems represents a broader trend.

What remediation steps are available?

The malicious axios versions (1.14.1 and 0.30.4) have been removed from the npm registry. Developers and organizations that installed either version are advised to:

  • Downgrade to safe versions: [email protected] or [email protected]
  • Remove the phantom dependency: node_modules/plain-crypto-js/
  • Block C2 traffic to sfrclak[.]com and 142.11.206.73
  • Treat affected systems as fully compromised: rotate all secrets and credentials, rebuild from clean snapshots
  • Audit CI/CD pipelines: ephemeral runners require secret rotation; self-hosted runners are treated as fully compromised
  • Search for file artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux)

For long-term hardening, package managers now support version cooldown policies that prevent automatic installation of newly published versions:

Package ManagerSetting
npm (v11.10.0+)min-release-age=7d in .npmrc
pnpm (v10.16+)minimum-release-age=7d
Yarn (v4.10+)npmMinimalAgeGate: "7d"
Bun (v1.3+)minimumReleaseAge = 604800

Has Tenable released any product coverage?

Yes, Tenable plugins that detect the compromised axios npm package and the malicious plain-crypto-js npm package are available.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Axios libraries by utilizing the filter JavaScript Libraries contains Axios

Screenshot of the Tenable Attack Surface Management Explore interface showing a query filtered by "JavaScript Libraries contains Axios."

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Research Special Operations

Research Special Operations

The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.