In modern cybersecurity, open-source tools can often provide the perfect avenue for attackers due to widespread access and dependencies. The Axios promise-based HTTP client is present in around 80% of cloud and code environments, making it a dependency so foundational that it is rarely scrutinized. NPM’s implicit trust model auto-propagates version updates with minimal verification, compounding security risks. Obtaining illegitimate access to a single maintainer account is sufficient to push malicious packages to millions of downstream consumers, as demonstrated in a recently discovered compromise.
From Account Takeover to Global Footprint
This attack began with only one account takeover and went on to impact a wide range of environments through that access point. A single compromised maintainer account was used to publish versions 1.14.1 and 0.30.4 with a hidden trojanized dependency on a newly created malicious package titled plain-crypto-js. The dropper script, setup.js, fetched platform-specific payloads from remote command-and-control (C2) infrastructure before self-deleting and restoring a clean package.json.
The malicious versions found in this attack were live for less than three hours, yet managed to achieve execution in 3% of affected environments, highlighting the wide scope of such activity. This is a clear demonstration of the massive risk that can be posed by a seemingly minor compromise. Organizations must see this attack as a wake-up call to the dangers of significant dependencies and unaudited supply chains.
Experts note that this attack is particularly notable for its lack of focus on the software used as an access point. “What's clever about this one is that the attackers didn't care about Axios, the software, at all. They didn't modify a single line of library code,” says Denis Calderone, CTO, Suzu Labs. “They weaponized the trust and reach of the package to run a post-install hook that dropped a RAT on whatever machine ran npm install, then the malware deleted itself and made the package look clean. The target was never the application; it was the build pipeline.”
Engineered for Every Target Surface
The attack was designed to function on multiple operating systems, ensuring persistent access on a vast array of target devices. The macOS payload in this attack was a compiled Mach-O binary, capable of self-signing injected code via codesign, helping to manufacture a sense of trustworthiness. The Windows payload ran as a PowerShell script and achieved persistence via a registry Run key and re-download batch file. The Linux payload was delivered as a Python-based script.
All three variants share shell execution, process enumeration, and 60-second C2 beaconing, enabling persistent access on many different systems. This demonstrates the threat actor’s dedication to establishing broad and lasting access on targeted devices, raising the potential for severe damage in enterprise environments.
A State-Sponsored Playbook
This malicious activity has been linked to a North Korea-associated threat group with a documented history of targeting software ecosystems and cryptocurrency platforms. Google Threat Intelligence Group (GTIG) is attributing the malicious activity to the threat actor tracked as UNC1069, active since at least 2018 and previously responsible for phishing and social engineering attacks involving hijacked Telegram accounts, fake Zoom meetings, and AI-generated video.
The use of Proton Mail identities and malware self-cleaning seems to reflect deliberate operational security on the part of the threat actors, rather than simply opportunistic tradecraft. This incident also fits into a broader pattern of attackers using trusted open-source components as force multipliers for simultaneous downstream access.
Rethinking Dependency Security
It is important for organizations and defenders to look to this incident for lessons moving forward. Software composition analysis must function as a continuous automated gate, rather than an audit carried out periodically. Maintainer account security standards, such as hardware-backed MFA and publishing anomaly detection, represent a critical and largely unaddressed control gap that organizations should make an effort to account for. The Axios incident reframes supply chain risk as a systemic infrastructure problem, requiring industry-level response beyond what individual organizations are able to manage alone.
