By rssfeeds-admin 
The poisoned releases, axios 1.14.1 and 0.30.4, pulled in plain-crypto-js and quietly delivered the WAVESHAPER.V2 backdoor to Windows, macOS, and Linux systems during installation.
The incident is serious because Axios is one of the most common libraries for handling HTTP requests, and the affected branches normally draw very large weekly download volumes.
That reach means one compromised package update could expose developer laptops, build servers, CI/CD pipelines, and downstream applications that trusted the official package stream.
After reviewing the intrusion, Google Cloud researchers detected the attacker likely compromised the axios maintainer account, changed the email tied to it, and then inserted plain-crypto-js version 4.2.1 into the package.
The company linked the activity to UNC1069, a financially motivated North Korea-nexus threat actor, based on overlaps in infrastructure and the use of the updated WAVESHAPER.V2 malware family.
What makes this campaign especially dangerous is its simple delivery method. Instead of waiting for a user to open a file or click a link, the malicious code abused the normal NPM install process through a postinstall hook, allowing the dropper to run in the background as soon as the tainted axios package was installed.
How the infection worked
The infection chain centered on an obfuscated JavaScript dropper called setup.js, which GTIG also tracks as SILKBELL. Once executed, the script checked the operating system and delivered a different payload for each platform.
On Windows, it searched for powershell.exe, copied it to another path to reduce suspicion, downloaded a PowerShell stage with curl, and ran it with hidden and execution-policy-bypass options.
On macOS, it used bash and curl to place a Mach-O binary in /Library/Caches/com.apple.act.mond, changed file permissions, and launched it through zsh. On Linux, it downloaded a Python backdoor to /tmp/ld.py.
The malware also tried to hide what it had done. Google’s analysis showed that setup.js attempted to delete itself after dropping the next stage and restore the altered package.json from a stored copy so forensic review would be harder.
The final payload, WAVESHAPER.V2, then beaconed to its command-and-control server every 60 seconds over port 8000 using Base64-encoded JSON and a hard-coded user-agent string.
This backdoor gives the attackers far more than simple remote access. GTIG said the malware can collect system details, list files and directories, run scripts, inject or execute additional payloads, and wait for more commands from the server.
On Windows, the threat can also persist by creating a hidden batch file and adding a MicrosoftUpdate entry under the current user’s Run registry key so it launches at logon.
For defenders, the response should begin with package control and host containment. Google said organizations should avoid axios versions 1.14.1 and 0.30.4, pin projects to known-good releases such as 1.14.0 or earlier and 0.30.3 or earlier, and check lockfiles for plain-crypto-js versions 4.2.0 or 4.2.1.
Any system that installed the malicious dependency should be treated as compromised, rebuilt or reverted to a known-good state, and followed by credential rotation for tokens, API keys, and other secrets that may have been present on the host.
Teams should also pause affected CI/CD jobs, clear npm, yarn, and pnpm caches, block traffic to sfrclak[.]com and 142.11.206.73, and watch for suspicious child processes spawned from Node.js applications.
The wider lesson is clear: trusted open source packages can become intrusion points with very little warning. In this case, the attackers used routine developer behavior, package installation, to move from a software update into full cross-platform compromise.
Since axios sits deep inside many dependency trees, organizations now need to review not only direct installations but also inherited exposure across build pipelines, internal tools, and production services.
Where plain-crypto-js is found, defenders should assume the malware may have reached beyond the first machine and validate nearby systems for related activity. Speed matters most, ad the early containment can limit follow-on abuse.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.