UNC1069 Axios Supply Chain Attack: Detection and Remediation for Malicious npm Packages

Introduction

On March 31, the open-source ecosystem suffered a significant supply chain breach when the widely used axios npm package—boasting over 100 million weekly downloads—was compromised. Google Threat Intelligence Group (GTIG) attributes this intrusion to UNC1069, a North Korea-nexus threat actor motivated by financial gain.

For approximately three hours, malicious versions 1.14.1 and 0.30.4 were live on the npm registry. These versions did not simply contain code flaws; they actively delivered WAVESHAPER.V2, a cross-platform Remote Access Trojan (RAT), to developer environments upon installation. Given axios' ubiquity in modern web development, the potential blast radius of this compromise is massive. Defenders must assume that any developer workstation or CI/CD pipeline executing npm install during that window is fully compromised.

Technical Analysis

Affected Products and Versions:

Package: axios
Malicious Versions: 1.14.1, 0.30.4
Clean Versions: Prior to 1.14.1 (e.g., 1.14.0) and patched versions following the incident (e.g., 1.14.2, 1.15.0).

Affected Platforms:

Windows
macOS
Linux

Attack Chain and Mechanism: UNC1069 likely compromised the maintainer's credentials or the publishing pipeline. The attack vector is a classic "dependency confusion" or direct repository manipulation style supply chain attack. When a developer or build server executed a package installation (e.g., npm install axios or npm update axios) during the three-hour window, the npm registry served the malicious tarball.

The malicious package contained a preinstall script or obfuscated JavaScript that executed immediately upon download, before the main package code is even used. This script fetched and executed the WAVESHAPER.V2 payload.

WAVESHAPER.V2 Capabilities:

Unauthorized Access: Establishes reverse-shell or C2 connectivity.
Cross-Platform: Capable of running on Windows, macOS, and Linux.
Persistence: Designed to maintain access to the victim environment, likely exfiltrating credentials, source code, or environment variables (e.g., AWS keys, API tokens).

Exploitation Status: Confirmed active exploitation in the wild. The malicious packages have been removed from the npm registry, but any environment that successfully cached or installed them remains compromised until remediated.

Detection & Response

This is a Technical Threat. The following detection rules and queries are designed to identify the installation of the specific malicious versions or the presence of the associated artifacts.

Sigma Rules

YAML

---
title: Potential Malicious Axios NPM Package Installation
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects the installation of known malicious axios npm versions (1.14.1 or 0.30.4) associated with the UNC1069 supply chain attack delivering WAVESHAPER.V2.
references:
  - https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-kexus-threat-actor-unc1069
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
      - '\yarn.js'
      - '\pnpm.js'
    Image|endswith:
      - '\node.exe'
    CommandLine|contains:
      - 'install'
    CommandLine|contains:
      - 'axios@1.14.1'
      - 'axios@0.30.4'
      - 'axios "1.14.1"'
      - 'axios "0.30.4"'
  condition: selection
falsepositives:
  - None (These specific versions should never be installed intentionally)
level: critical
---
title: Suspicious Child Process of NPM Install
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects suspicious shell execution spawned by npm/node, common behavior in supply chain attacks executing post-install scripts like WAVESHAPER.V2.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\bash.exe'
  condition: selection
falsepositives:
  - Legitimate build scripts invoking shells (filter known build servers)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for installation of malicious axios versions
DeviceProcessEvents
| where Timestamp >= datetime(2026-03-31 00:00:00) and Timestamp <= datetime(2026-03-31 23:59:59)
| where ProcessCommandLine has "install" 
| where ProcessCommandLine has_any ("axios@1.14.1", "axios@0.30.4")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| extend IoC = "Malicious Axios Version"

Velociraptor VQL

VQL — Velociraptor

-- Hunt for malicious axios package. files on disk
SELECT FullPath, Mtime, Atime
FROM glob(globs='/node_modules/axios/package.')
WHERE read_file(filename=FullPath) =~ '"version"\s*:\s*"(1.14.1|0.30.4)'

Remediation Script (Bash)

Bash / Shell

#!/bin/bash
# Audit and Remediation Script for UNC1069 Axios Compromise

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color

echo "[*] Scanning for malicious axios versions (1.14.1, 0.30.4)..."

# Find package. files in node_modules named axios
find . -type f -path "*/node_modules/axios/package." -print0 | while IFS= read -r -d '' file; do
    # Check version field for malicious versions
    if grep -q '"version"[[:space:]]*:[[:space:]]*"1.14.1"' "$file" || grep -q '"version"[[:space:]]*:[[:space:]]*"0.30.4"' "$file"; then
        echo -e "${RED}[!] COMPROMISED DETECTED: $file${NC}"
        echo "    Version matches malicious indicator."
        
        # Remediation Action: Remove the malicious module
        # Uncomment the line below to automatically delete
        # rm -rf "$(dirname "$file")"
        # echo "    Removed malicious directory: $(dirname "$file")"
    else
        echo -e "${GREEN}[+] SAFE: $file${NC}"
    fi
done

echo "[*] Scan complete."
echo "[!] If compromised versions were found, delete the 'node_modules/axios' directory and run 'npm install axios' to pull the latest clean version."
echo "[!] CRITICAL: Treat the host as compromised if installation occurred. Rotate all credentials."

Remediation

Immediate Version Audit: Check package-lock., yarn.lock, or pnpm-lock.yaml in your source code repositories. Search for axios@1.14.1 or axios@0.30.4. If found, these lock files are poisoned and must be reverted or manually edited to a safe version (e.g., 1.14.2 or later).
Environment Purging: On any workstation or server where npm install ran between March 31, 2025, and April 1, 2025, delete the node_modules folder entirely and reinstall dependencies using a clean lock file. Do not rely on npm audit fix alone, as the malicious package has been removed from the registry, preventing a simple reinstall.
Assume Host Compromise: Because WAVESHAPER.V2 is a Remote Access Trojan, systems that executed the malicious package require full forensics and re-imaging. Simple uninstallation of the npm package is insufficient to remove the RAT. Rotate all credentials, API keys, and tokens stored or used on affected machines.
Vendor Advisory: Monitor the official npm advisory and the Tenable blog for ongoing updates regarding hash values of the malicious tarballs.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub