Post by SolventAi CyberSecurity

5,491 followers

#Axios just got backdoored by North Korea. 100 million weekly npm downloads. Present in roughly 80% of cloud and code environments. And for a 3-hour window on March 31, anyone running npm install that resolved to the wrong version got a DPRK RAT on their machine. Here’s how the attack worked: 1. UNC1069 social-engineered the Axios maintainer (jasonsaayman) through a fake company founder identity, cloned Slack workspace, and bogus Microsoft Teams call 2. Used a compromised long-lived npm access token to bypass the CI/CD publishing workflow, even though MFA was enabled 3. Changed the account email to an attacker-controlled Proton Mail address (ifstap@proton[.]me) 4. Published a clean [email protected], an identical copy of crypto-js, to establish publishing history 5. ~18 hours later, pushed [email protected] with an obfuscated dropper (SILKBELL/setup.js) using a postinstall hook 6. Published two backdoored Axios versions (1.14.1 and 0.30.4) injecting plain-crypto-js as a runtime dependency 7. The dropper detected the target OS, deployed WAVESHAPER.V2 (cross-platform RAT for Windows, macOS, and Linux), then replaced its own package.json with a clean version to destroy forensic evidence Google’s GTIG attributed this to UNC1069, a financially motivated DPRK threat actor active since at least 2018. Socket[.]dev’s scanner detected the compromise within 6 minutes. npm pulled the malicious versions roughly 3 hours after publication. But even a 3-hour window on a package this ubiquitous means significant blast radius. The real Axios package has only 3 dependencies: follow-redirects, form-data, proxy-from-env. The addition of plain-crypto-js is unambiguous tampering. This follows Trivy, Checkmarx KICS, and LiteLLM, all compromised within weeks by a separate DPRK group (UNC6780). 2026 is the year the open-source supply chain started collapsing in on itself. If you use Axios: ∙ Check for versions 1.14.1 or 0.30.4 ∙ Downgrade to 1.14.0 or 0.30.3 ∙ Remove node_modules/plain-crypto-js/ ∙ Block C2 traffic to sfrclak[.]com and 142[.]11[.]206[.]73 ∙ Audit CI/CD pipelines that ran npm install during the exposure window ∙ Rotate all credentials on any affected system ∙ Treat affected systems as fully compromised The real lesson: MFA alone didn’t stop this. The maintainer had it enabled. The attackers bypassed it with a long-lived npm token that was still valid alongside OIDC credentials. Token hygiene and OIDC-only publishing are the actual fix. Full attack flow diagram below. #SupplyChainSecurity #Cybersecurity #Axios #npm #DPRK #DevSecOps #AppSec #ThreatIntelligence​​​​​​​​​​​​​​​​ SolventAi CyberSecurity

Post content