Back to Intelligence

How to Defend Against the Axios npm Supply Chain Attack by UNC1069

SA
Security Arsenal Team
April 1, 2026
5 min read

How to Defend Against the Axios npm Supply Chain Attack by UNC1069

Introduction

Software supply chains have become the primary attack vector for sophisticated threat groups targeting development environments. The recent compromise of the popular Axios npm package, attributed by Google to the North Korean cluster UNC1069, highlights the critical risk of trusting third-party dependencies without verification. For defenders, this is not just a news headline; it is a call to audit build pipelines, enforce dependency verification, and monitor for suspicious execution flows originating from package managers. This attack specifically targeted the financial sector via a financially motivated operation, demonstrating how a single compromised library can pave the way for credential theft and system infiltration.

Technical Analysis

The Axios package is one of the most widely used HTTP clients for JavaScript, making it a high-value target for supply chain tampering. In this incident, UNC1069 compromised the maintainer's account or the build pipeline to publish malicious versions to the npm registry.

The attack mechanism likely involved a malicious script embedded within the package's postinstall lifecycle event. When developers or automated CI/CD systems ran npm install, the malicious script executed, potentially establishing reverse shells, exfiltrating environment variables, or deploying secondary payloads.

Affected Products/Systems:

  • Applications utilizing the compromised versions of the Axios npm package.
  • CI/CD pipelines running automated builds without dependency pinning or integrity checks.

Severity: Critical. Supply chain attacks bypass traditional network perimeter defenses by executing malicious code with the trust level of a legitimate internal developer tool.

Defensive Monitoring

To detect active exploitation or compromise related to this supply chain attack, security teams should hunt for abnormal child processes spawned by Node.js or unexpected network connections initiated by package managers.

SIGMA Rules

The following SIGMA rules detect suspicious behavior associated with malicious npm packages, including the abuse of postinstall scripts to spawn shells or unauthorized network connections.

YAML
---
title: Suspicious Child Process of Node.js Package Manager
id: 7a4b9c1d-8e3f-4a2b-9c5d-1e2f3a4b5c6d
status: experimental
description: Detects suspicious child processes spawned by Node.js or npm during package installation, often indicating a malicious postinstall script.
references:
  - https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.execution
  - attack.t1059.001
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
      - '\npx.cmd'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
falsepositives:
  - Legitimate build scripts that utilize shell tools for compilation
level: high
---
title: Node.js Process with Suspicious Network Connection
id: 3e1f2a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6b
status: experimental
description: Detects Node.js processes establishing network connections to non-standard ports or suspicious remote IPs, typical of beaconing activity in supply chain compromises.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.defense_evasion
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith: '\node.exe'
    DestinationPort|notin:
      - '80'
      - '443'
      - '8080'
      - '3000'
      - '5000'
  condition: selection
falsepositives:
  - Development servers running on non-standard ports
level: medium

KQL Queries

Use these queries in Microsoft Sentinel or Microsoft Defender for Endpoint to investigate potential compromise related to the Axios package or similar npm attacks.

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js spawning suspicious shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "npm.cmd", "npx.cmd")
| where FileName in~ ("powershell.exe", "cmd.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine, FolderPath
| order by Timestamp desc


// Check for specific Axios version installation or modifications
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName =~ "package." or FileName =~ "package-lock."
| where InitiatingProcessFileName =~ "npm.exe" or InitiatingProcessFileName =~ "node.exe"
| project Timestamp, DeviceName, ActionType, FolderPath, InitiatingProcessCommandLine
| where InitiatingProcessCommandLine contains "axios"

Velociraptor VQL

These Velociraptor hunts can be used to scan endpoints for signs of the compromise or malicious package installation.

VQL — Velociraptor
-- Hunt for package-lock. files modified recently to identify potential installations
SELECT FullPath, Mtime, Atime, Size
FROM glob(globs="C:/Users/**/package-lock.")
WHERE Mtime > now() - 7d

-- Hunt for Node.js processes spawning PowerShell or CMD
SELECT Parent.Name AS ParentProcess, Name, CommandLine, Pid, StartTime
FROM pslist()
WHERE Parent.Name =~ "node" AND Name IN ("powershell.exe", "cmd.exe", "pwsh.exe")

PowerShell Verification

Use this script to audit installed npm packages on a developer workstation or build server for known compromised versions (replace version numbers with specific IOCs if available).

PowerShell
# Audit Axios package versions locally
function Check-AxiosVersion {
    param (
        [string]$Path = "."
    )
    
    $packageJson = Join-Path $Path "package."
    $lockFile = Join-Path $Path "package-lock."

    if (Test-Path $packageJson) {
        Write-Host "Checking $packageJson..."
        $ = Get-Content $packageJson | ConvertFrom-Json
        if ($.dependencies.axios) {
            Write-Host "[!] Axios dependency found: $($.dependencies.axios)" -ForegroundColor Yellow
        }
    }

    if (Test-Path $lockFile) {
        Write-Host "Analyzing $lockFile for Axios dependencies..."
        $lockContent = Get-Content $lockFile | ConvertFrom-Json
        # Navigate the lockfile structure to find axios
        if ($lockContent.dependencies.axios) {
            $version = $lockContent.dependencies.axios.version
            Write-Host "[!] Axios locked at version: $version" -ForegroundColor Yellow
            # Add logic here to compare against known bad versions
        }
    }
}

# Execute in current directory
Check-AxiosVersion

Remediation

Organizations must act immediately to secure their software supply chain against UNC1069 and similar threat actors.

  1. Update and Patch: Immediately update the Axios package to the latest, verified clean version. Run npm update axios or explicitly install the safe version npm install axios@latest.

  2. Audit Dependencies: Review package-lock. files in your repositories to ensure no compromised versions are pinned. Use tools like npm audit to identify vulnerabilities.

  3. Enforce Lockfile Integrity: Ensure your CI/CD pipelines verify the integrity of package-lock. or yarn.lock files. Do not allow automatic installations that bypass lockfiles.

  4. Review Build Logs: Inspect CI/CD logs for the past few months for any unexpected network connections or script executions during the npm install phase.

  5. Rotate Credentials: If your build environment or developer workstations were potentially compromised, rotate all secrets, API keys, and tokens stored in environment variables that may have been leaked during the build process.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitsupply-chainnpmnodejssoc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
How to Defend Against the Axios npm Supply Chain Attack by UNC1069 | Security Arsenal | Security Arsenal