Google Attributes Axios npm Supply Chain Attack to North Korean UNC1069, Links Backdoor to WAVESHAPER Evolution

Google has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat cluster tracked by Mandiant and Google's Threat Intelligence Group since 2018. The attribution, confirmed by GTIG chief analyst John Hultquist, links the compromise of the JavaScript ecosystem's most popular HTTP client to Pyongyang's ongoing financially motivated cyber operations.

The connection was first flagged by Elastic Security Labs based on functionality overlaps between the cross-platform RAT deployed in the Axios attack and known UNC1069 tooling. Google and Mandiant have now confirmed the backdoor is WAVESHAPER.V2, a direct evolution of WAVESHAPER — a C++ backdoor previously attributed to UNC1069 in campaigns targeting the cryptocurrency sector.

While the original WAVESHAPER used a lightweight raw binary C2 protocol with code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports an expanded command set. Despite these upgrades, both versions accept C2 URLs dynamically via command-line arguments, share identical C2 polling behavior and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories — including /Library/Caches/com.apple.act.mond on macOS.

Google has designated the obfuscated JavaScript dropper as SILKBELL, which functions as the initial execution stage within the malicious plain-crypto-js dependency. SILKBELL detects the host operating system and fetches the appropriate WAVESHAPER.V2 variant — PowerShell on Windows, a compiled C++ Mach-O binary on macOS, and a Python backdoor on Linux. All three variants beacon to the C2 at 60-second intervals and support four commands: process termination, directory enumeration, OS-specific script execution, and arbitrary binary injection.

The operational sophistication of the attack reflects a threat actor treating supply chain compromise as a scalable, repeatable operation. Both the modern 1.x and legacy 0.x Axios release branches were compromised within 40 minutes of each other, payloads for three operating systems were pre-staged, and the dropper included built-in forensic self-destruction that replaced its own package manifest with a clean stub after execution.

UNC1069 has deep experience with supply chain attacks, which the group has historically leveraged to support cryptocurrency theft operations aligned with North Korea's revenue generation objectives. Hultquist noted that the full breadth of the incident remains unclear, but given the popularity of the compromised package, far-reaching impacts are expected.

There are also early indications the campaign may be expanding beyond npm. ReversingLabs has flagged signs of similar activity appearing in PyPI and NuGet registries, consistent with a strategy designed to maximize developer reach across multiple package ecosystems.

What Defenders Should Do:

All guidance from the initial Axios compromise remains in effect: audit dependency trees for axios@1.14.1, axios@0.30.4, and any version of plain-crypto-js, and treat any system that installed the affected versions as fully compromised. The DPRK attribution elevates the severity — UNC1069's objective is credential and cryptocurrency theft, meaning exposed npm tokens, cloud credentials, wallet keys, and CI/CD secrets should be assumed stolen and rotated immediately. Expand audits beyond npm to include PyPI and NuGet dependencies feeding build pipelines. Block sfrclak[.]com and 142.11.206.73 at the network perimeter. Monitor for the WAVESHAPER.V2 indicators including the IE8/Windows XP User-Agent string and 60-second beacon intervals over HTTP POST with Base64-encoded JSON payloads.