Defending Against the Axios npm Supply Chain Attack: Detection and Remediation\n\n## Introduction\n\nOn March 31, a sophisticated supply chain attack targeted the axios npm package, one of the most popular libraries in the JavaScript ecosystem with over 100 million weekly downloads. A North Korea-nexus threat actor, tracked as UNC1069, successfully published malicious versions of the package to the public registry. This event underscores a critical reality for defenders: the software supply chain is a high-value target. When a trusted dependency is weaponized, the blast radius can extend to millions of developer environments instantly. Security teams must move beyond traditional vulnerability scanning and implement robust monitoring for build and dependency management pipelines.\n\n## Technical Analysis\n\nThe attack involved the compromise of the official axios npm account. The threat actor published two malicious versions:\n\n* 1.14.1 (intended for the latest line)\n* 0.30.4 (intended for an older line)\n\nThese versions were available on the npm registry for approximately three hours. During this window, developers or CI/CD systems running npm install axios (or specifying these exact versions) pulled down a trojanized package containing WAVESHAPER.V2, a cross-platform Remote Access Trojan (RAT).\n\nTechnical Details:\n* Vector: Dependency Confusion / Supply Chain Compromise.\n* Payload: WAVESHAPER.V2 (RAT capable of running on Windows, Linux, and macOS).\n* Mechanism: The malicious package included a postinstall script or obfuscated code designed to execute the payload upon installation.\n* Severity: Critical. While the window was short, the payload grants the attacker unauthorized remote access to the environment where the package was installed.\n* Fix: The npm registry has removed the malicious versions. The current remediation involves ensuring systems are running clean versions of axios (e.g., 1.14.0 or 1.14.2+).\n\n## Defensive Monitoring\n\nDetecting a supply chain attack requires correlating process execution with package management activities. Security Operations Centers (SOCs) should immediately hunt for installations of the specific malicious versions and investigate any child processes spawned by Node.js during that timeframe.\n\n### SIGMA Detection Rules\n\nThe following SIGMA rules identify the installation of the malicious package versions and suspicious behavior associated with the WAVESHAPER payload.\n\nyaml\n---\ntitle: Installation of Compromised Axios NPM Package Versions\nid: 8f1a2b3c-4d5e-6f7g-8h9i-0j1k2l3m4n5o\nstatus: experimental\ndescription: Detects the installation of the malicious axios package versions (1.14.1 and 0.30.4) associated with the UNC1069 supply chain attack.\nreferences:\n - https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069\nauthor: Security Arsenal\ndate: 2025/04/01\ntags:\n - attack.supply_chain\n - attack.t1195.002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: '\npm.exe'\n CommandLine|contains: 'axios'\n CommandLine|contains:\n - '1.14.1'\n - '0.30.4'\ncondition: selection\nfalsepositives:\n - Developers testing specific versions (unlikely for these specific malicious tags)\nlevel: critical\n---\ntitle: NPM Install of Malicious Axios Versions on Linux/macOS\nid: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d\nstatus: experimental\ndescription: Detects installation of malicious axios versions via npm on Linux or macOS systems.\nreferences:\n - https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069\nauthor: Security Arsenal\ndate: 2025/04/01\ntags:\n - attack.supply_chain\n - attack.t1195.002\nlogsource:\n category: process_creation\n product: linux\ndetection:\n selection:\n Image|endswith: '/npm'\n CommandLine|contains: 'axios'\n CommandLine|contains:\n - '1.14.1'\n - '0.30.4'\ncondition: selection\nfalsepositives:\n - Developer testing of specific versions\nlevel: critical\n---\ntitle: Suspicious Child Process Spawning from Node.js Post Axios Install\nid: f0e1d2c3-b4a5-4d6e-8f9a-0b1c2d3e4f5a\nstatus: experimental\ndescription: Detects Node.js spawning a shell or network tool, which may indicate execution of the WAVESHAPER payload or post-exploitation activity related to the Axios supply chain attack.\nreferences:\n - https://attack.mitre.org/techniques/T1059/\nauthor: Security Arsenal\ndate: 2025/04/01\ntags:\n - attack.execution\n - attack.t1059.003\n - attack.t1059.004\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: '\node.exe'\n Image|endswith:\n - '\\cmd.exe'\n - '\\powershell.exe'\n - '\\pwsh.exe'\n filter:\n CommandLine|contains: 'node_modules'\ncondition: selection and not filter\nfalsepositives:\n - Legitimate build scripts\nlevel: high\n\n\n### KQL Queries (Microsoft Sentinel/Defender)\n\nUse these queries to hunt for evidence of the malicious package installation or subsequent C2 activity within your environment.\n\nkql\n// Hunt for installation of malicious Axios versions\nDeviceProcessEvents\n| where Timestamp > datetime(2025-03-31)\n| where ProcessCommandLine has "npm"\n| where ProcessCommandLine has "axios"\n| where ProcessCommandLine has_any ("1.14.1", "0.30.4")\n| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName\n| extend DetectionTime = now()\n\n// Hunt for suspicious Node.js network connections (potential C2)\nDeviceNetworkEvents\n| where Timestamp > datetime(2025-03-31)\n| where InitiatingProcessFileName == "node.exe"\n| where RemotePort !in (80, 443, 8080) // Filter out common dev ports, adjust as needed\n| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort\n\n\n### Velociraptor VQL Hunt\n\nVelociraptor can be used to scan filesystems for package-lock. files that contain references to the malicious versions, even if the package has since been updated (or if the install failed midway).\n\nvql\n-- Hunt for malicious axios versions in package-lock. files\nSELECT FullPath, Mtime, Atime\nFROM glob(globs="/package-lock.")\nWHERE read_file(filename=FullPath) =~ '"axios"\\s*:\\s*"1\.14\.1"'\n OR read_file(filename=FullPath) =~ '"axios"\\s*:\\s*"0\.30\.4"'\n\n-- Hunt for the presence of the malicious folder in node_modules\nSELECT FullPath, Size\nFROM glob(globs="/node_modules/axios/**")\nWHERE FullPath =~ "node_modules/axios/package."\n AND read_file(filename=FullPath) =~ '"version"\\s*:\\s*"1\.14\.1"' OR read_file(filename=FullPath) =~ '"version"\\s*:\\s*"0\.30\.4"'\n\n\n### Remediation Scripts\n\n#### Bash (Linux/macOS)\n\nRun this script in your project root directories to check for the presence of the malicious versions.\n\nbash\n#!/bin/bash\n\necho "Scanning for malicious Axios versions (1.14.1, 0.30.4)..."\n\n# Check package-lock.\necho "Checking package-lock...."\nif [ -f "package-lock." ]; then\n if grep -q '"axios"[[:space:]]:[[:space:]]"1\.14\.1"' package-lock. || \\n grep -q '"axios"[[:space:]]:[[:space:]]"0\.30\.4"' package-lock.; then\n echo "[ALERT] Malicious version found in package-lock."\n else\n echo "[OK] No malicious version in package-lock."\n fi\nfi\n\n# Check yarn.lock\necho "Checking yarn.lock..."\nif [ -f "yarn.lock" ]; then\n if grep -q "axios@npm:1\.14\.1" yarn.lock || \\n grep -q "axios@npm:0\.30\.4" yarn.lock; then\n echo "[ALERT] Malicious version found in yarn.lock"\n else\n echo "[OK] No malicious version in yarn.lock"\n fi\nfi\n\n\n#### PowerShell (Windows)\n\npowershell\n# Scan for malicious Axios versions in package-lock.\n$path = ".\\package-lock."\nif (Test-Path $path) {\n $content = Get-Content $path -Raw\n if ($content -match '"axios"\s*:\s*"1\.14\.1"' -or $content -match '"axios"\s*:\s*"0\.30\.4"') {\n Write-Host "[ALERT] Malicious version found in $path" -ForegroundColor Red\n } else {\n Write-Host "[OK] No malicious version found in $path" -ForegroundColor Green\n }\n} else {\n Write-Host "package-lock. not found."\n}\n\n\n## Remediation\n\nIf your environment was exposed to this supply chain attack, follow these steps immediately:\n\n1. Identify Affected Systems: Use the detection logic above to identify any developer workstations, build servers, or containers that ran npm install between March 31, 2025, and the remediation time.\n2. Audit Dependency Trees: Check package-lock., yarn.lock, and pnpm-lock.yaml files in all repositories. If axios version 1.14.1 or 0.30.4 is present, the lock file must be regenerated.\n3. Force Clean Install:\n * Delete the node_modules folder.\n * Delete the lock file (package-lock., etc.).\n * Run npm install (or yarn/pnpm install) to pull the latest, verified versions.\n4. Treat Compromise as Critical: According to the threat intelligence, the payload delivered was a fully functional RAT (WAVESHAPER.V2). Do not simply update the package. You must assume any system that executed the malicious version is fully compromised.\n * Isolate the host from the network.\n * Perform a full forensic investigation or re-image the machine entirely.\n * Rotate all credentials and API keys stored or used on that machine.\n5. Review Supply Chain Hygiene: Implement mechanisms such as lockfile linting (e.g., using npm audit, Snyk, or Dependabot) to block installation of packages that do not match organizational policies or known checksums.\n\n## Related Resources\n\nSecurity Arsenal Managed SOC Services\nAlertMonitor Platform\nBook a SOC Assessment\nsoc-mdr Intel Hub\n