Back to Intelligence

UNC1069 Axios npm Compromise: Supply Chain Detection and Defense

SA
Security Arsenal Team
April 10, 2026
5 min read

Introduction

The open-source ecosystem is currently facing a critical security threat following the confirmation that the popular Axios HTTP client—a cornerstone library for countless JavaScript applications—was compromised via a sophisticated supply chain attack. The maintainer, Jason Saayman, disclosed that UNC1069, a North Korean threat actor group, successfully conducted a highly-targeted social engineering campaign to gain access to the npm package maintainer account.

This is not a theoretical vulnerability; it is an active exploitation scenario involving a nation-state adversary. The attack vector bypassed standard code review processes by compromising the trusted source itself. For defenders, this means the integrity of CI/CD pipelines and production environments is at immediate risk. If your organization depends on Axios, you must assume breach and hunt for malicious artifacts immediately.

Technical Analysis

  • Affected Products: Axios (npm package)

  • Threat Actor: UNC1069 (North Korean state-sponsored, often associated with APT38/Lazarus)

  • Attack Vector: Social Engineering → Credential Theft → Malicious Package Publication

  • Attack Chain:

    1. Initial Access: UNC1069 contacted the Axios maintainer posing as the founder of a legitimate entity (likely a recruitment/job offer tactic common to this group).
    2. Compromise: The social engineering scheme resulted in the theft of maintainer credentials or session tokens.
    3. Payload Delivery: The attackers used this access to publish malicious versions of the Axios package to the public npm registry.
    4. Execution: Downstream users executing npm install or running CI/CD builds inadvertently pulled the compromised code.
    5. Impact: Malicious scripts (typically defined in preinstall or postinstall hooks within package.) execute on the developer's machine or build server, potentially leading to data exfiltration, credential harvesting, or lateral movement.

  • Exploitation Status: Confirmed active exploitation in the wild.

Detection & Response

Detecting a supply chain compromise requires shifting focus from network perimeter defenses to build pipeline integrity and process lineage. Malicious npm packages almost universally rely on lifecycle scripts (postinstall) to execute shell commands or spawn child processes immediately after installation.

Sigma Rules

The following rules detect anomalous process execution patterns indicative of a malicious npm package executing a payload on both Windows and Linux endpoints.

YAML
---
title: Suspicious Node.js Child Process - Windows
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Node.js spawning a shell, which is highly unusual for standard library operation and common in malicious npm packages using postinstall scripts.
references:
  - https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html
author: Security Arsenal
date: 2026/04/10
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
falsepositives:
  - Legitimate build scripts running local utilities
level: high
---
title: Suspicious Node.js Child Process - Linux
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Node.js spawning a shell on Linux, indicative of malicious npm package execution during install.
references:
  - https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html
author: Security Arsenal
date: 2026/04/10
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/node'
      - '/nodejs'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/zsh'
      - '/curl'
      - '/wget'
  condition: selection
falsepositives:
  - Legitimate build scripts (npm scripts)
level: high

KQL (Microsoft Sentinel / Defender)

Hunt for Node.js processes spawning unauthorized shells. This is the primary TTP for supply chain malware execution.

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js spawning suspicious child processes
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName in~ ('node.exe', 'node')
| where FileName in~ ('powershell.exe', 'cmd.exe', 'bash', 'sh', 'curl', 'wget')
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc

Velociraptor VQL

Use VQL to identify suspicious process ancestry and check for the presence of the specific Axios package version if indicators become available, or broadly hunt for Node.js shell interactions.

VQL — Velociraptor
-- Hunt for Node.js processes spawning shells
SELECT Pid, Name, CommandLine, Exe, Parent.Pid AS ParentPid,
       Parent.Name AS ParentName, Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ 'node'
  AND Name IN ('sh', 'bash', 'powershell.exe', 'cmd.exe', 'curl', 'wget')

Remediation Script (Bash)

Run this script on your build agents and development workstations to audit for the presence of Axios and verify versions against the latest safe releases. It forces an audit to identify vulnerable dependencies.

Bash / Shell
#!/bin/bash

# Axios Supply Chain Audit and Remediation
# Run this in the root of your project directories

echo "[*] Scanning for Axios dependency..."

# Check if Axios is in package.
if grep -q '"axios"' package.; then
    echo "[!] Axios dependency found in this project."
    
    # Check for lockfile
    if [ -f "package-lock." ]; then
        echo "[*] Auditing package-lock. for vulnerabilities..."
        npm audit --audit-level=moderate
        
        echo "[*] Forcing update of Axios to latest secure version..."
        npm update axios
    else
        echo "[WARNING] No package-lock. found. Cannot audit specific versions accurately."
    fi
else
    echo "[+] Axios not found in this project."
fi

echo "[*] Verifying integrity of installed packages..."
npm verify

Remediation

  1. Update Immediately: Upgrade the axios package to the latest version released by the legitimate maintainer (post-incident). Refer to the official Axios GitHub advisory for specific safe version numbers.
  2. Audit CI/CD Logs: Review build logs for the past 30 days. Look for any failed builds or unexpected network connections originating from build agents during npm install phases.
  3. Maintainer Hygiene: If you are a package maintainer, enable hardware security keys (FIDO2) for npm registry authentication (2FA is mandatory but insufficient against sophisticated session hijacking; hardware keys provide phishing resistance).
  4. Package Provenance: Adopt npm provenance or Sigstore signing. Verify that packages are signed by the repository owner before installation in production environments.
  5. Network Egress: Block build agents and dev workstations from accessing non-essential internet endpoints. Malicious postinstall scripts often attempt to beacon out to C2 servers.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionnpmunc1069supply-chainaxios

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action