Axios npm Supply Chain Attack (UNC1069): Detecting WAVESHAPER.V2 and Remediation for Versions 1.14.1/0.30.4

On March 31, the open-source ecosystem suffered a significant shock when the widely used axios npm package—boasting over 100 million weekly downloads—was compromised in a targeted supply chain attack. Google Threat Intelligence Group (GTIG) attributes this operation to UNC1069, a North Korea-nexus threat actor financially motivated to compromise developer environments.

During a narrow three-hour window, malicious versions 1.14.1 and 0.30.4 were published to the npm registry. These versions did not simply break functionality; they delivered WAVESHAPER.V2, a cross-platform Remote Access Trojan (RAT) capable of establishing persistence on Windows, Linux, and macOS systems.

For defenders, this is not a routine vulnerability. This is an active intrusion scenario. If these versions were installed, the affected developer workstation is not merely "vulnerable"—it is likely compromised and functioning as a beachhead for the threat actor.

Technical Analysis

Affected Products and Versions:

• Package: axios (HTTP client)
• Malicious Versions: 1.14.1, 0.30.4
• Clean Versions: 1.14.0, 0.30.3 (and subsequent clean releases 1.15.0, 0.30.5)
• Platforms: Cross-platform (Windows, Linux, macOS)

Attack Chain (Defender's Perspective):

1. Initial Compromise: UNC1069 gained access to the maintainer's npm credentials or build pipeline.
2. Malicious Publication: The attacker published the two malicious versions containing a weaponized postinstall script.
3. Execution: When a developer or CI/CD pipeline ran npm install, the postinstall script triggered immediately.
4. Payload Deployment: The script fetched and executed the WAVESHAPER.V2 RAT.
5. C2 Establishment: The beaconing agent connected to attacker-controlled infrastructure, providing remote access to the host.

Exploitation Status:

• Status: Confirmed Active Exploitation. The malicious versions were live for approximately three hours.
• CVSS: Supply chain attacks often result in high CVSS scores (e.g., 9.8+), but the immediate risk is driven by the execution of arbitrary code rather than a specific software flaw.

Detection & Response

Identifying this requires hunting for the specific package installation events and the subsequent malicious execution. Standard vulnerability scanners will flag the package version, but verifying if the malicious script executed requires endpoint telemetry.

Sigma Rules

These rules target the installation of the specific malicious versions and suspicious process execution patterns associated with the postinstall hook.

---
title: Axios Malicious Package Installation (UNC1069)
id: 9a8f7d6e-5b4a-4c3d-9e1f-2a3b4c5d6e7f
status: experimental
description: Detects the installation of known malicious Axios npm versions (1.14.1 or 0.30.4) associated with the UNC1069 supply chain attack.
references:
  - https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069
author: Security Arsenal
date: 2025/03/31
tags:
  - attack.initial_access
  - attack.t1195.002
  - attack.supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
    Image|endswith:
      - '\node.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'axios@1.14.1'
      - 'axios@0.30.4'
      - 'axios" "1.14.1'
      - 'axios" "0.30.4'
  condition: selection
falsepositives:
  - Legitimate testing of specific package versions (unlikely in production)
level: critical
---
title: Suspicious Node.js Child Process Execution
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Node.js spawning shells or making network connections, typical behavior of malicious npm postinstall scripts like WAVESHAPER.V2.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/03/31
tags:
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\node.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\bash.exe'
      - '\sh.exe'
  condition: selection
falsepositives:
  - Legitimate build scripts or development tools
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the installation commands in process logs and network connections that may indicate C2 beaconing associated with the RAT.

// Hunt for malicious Axios installation commands
DeviceProcessEvents
| where Timestamp > datetime(2025-03-31 00:00:00) // Adjust time window as needed for your region/log ingestion
| where InitiatingProcessFileName has "node" or InitiatingProcessFileName has "npm"
| where ProcessCommandLine has "axios" and (ProcessCommandLine has "1.14.1" or ProcessCommandLine has "0.30.4")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

The most reliable method for confirming if a developer machine pulled the malicious code is inspecting the package-lock. file. This VQL artifact hunts for the specific version strings within lock files.

-- Hunt for malicious Axios versions in package-lock.
SELECT FullPath, Mtime, Size
FROM glob(globs='/*/package-lock.')
WHERE
   read_file(filename=FullPath) =~ 'axios["']:\s*["']1\.14\.1["']'
   OR read_file(filename=FullPath) =~ 'axios["']:\s*["']0\.30\.4["']

Remediation Script (Bash)

Use this script on Linux/macOS build agents or developer workstations to audit and remove the malicious package versions.

#!/bin/bash

echo "Auditing npm packages for malicious Axios versions..."

# Check for global installations
echo "Checking global packages..."
npm list -g --depth=0 | grep -E "axios@1.14.1|axios@0.30.4"

# Check for local installations in current directory (run this in project roots)
echo "Checking local packages..."
if [ -f "package-lock." ]; then
  if grep -q '"axios": "1.14.1"' package-lock. || grep -q '"axios": "0.30.4"' package-lock.; then
    echo "[ALERT] Malicious Axios version found in package-lock.."
    echo "Removing axios and reinstalling latest clean version..."
    npm uninstall axios
    npm install axios@latest
  else
    echo "[SAFE] No malicious Axios versions found in package-lock.."
  fi
else
  echo "No package-lock. found in current directory."
fi

# Force clean cache to prevent re-installation of cached malicious tarballs
echo "Cleaning npm cache..."
npm cache clean --force

Remediation Steps

1. Immediate Isolation: If the malicious versions (1.14.1 or 0.30.4) are found, isolate the affected host from the network immediately. Treat the host as fully compromised (C2 access likely established).
2. Version Verification: Run npm ls axios in all project directories. If the output shows axios@1.14.1 or axios@0.30.4, the environment is compromised.
3. Package Removal and Re-installation:
   • Remove the malicious package: npm uninstall axios
   • Clear the npm cache to ensure the malicious tarball is removed: npm cache clean --force
   • Install a verified safe version (e.g., npm install axios@latest or npm install axios@1.14.0).
4. Credential Reset: Assume that credentials (API keys, AWS tokens, git credentials) present in the environment variables or source code on the compromised machine were exfiltrated. Rotate all secrets immediately.
5. Forensic Image: For production build servers or critical developer workstations, acquire a forensic image before re-imaging the machine to facilitate investigation into potential lateral movement.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub