183 Million Targets: Inside the North Korean Supply Chain Strike on Axios and the WAVESHAPER Backdoor

The Google Threat Intelligence Group (GTIG) has issued an urgent warning regarding a sophisticated software supply chain attack targeting one of the most vital components of the JavaScript ecosystem. Between March 31, 2026, and the early hours of the following morning, a threat actor successfully hijacked the axios NPM package, injecting a malicious dependency designed to deploy backdoors across Windows, macOS, and Linux systems.

With axios typically seeing over 183 million combined weekly downloads, the scale of this compromise is staggering.

The attack began when a maintainer account for the axios package was compromised. According to GTIG, “the associated email address changed to an attacker-controlled account (ifstap@proton.me)”. Once in control, the adversary introduced a malicious dependency named “plain-crypto-js” into axios versions 1.14.1 and 0.30.4.

To ensure the malware executed without user intervention, the attacker utilized a postinstall hook. As the report details:

“Upon installation of the compromised axios package, NPM automatically executes an obfuscated JavaScript dropper named ‘setup.js’ in the background”.

The heart of the attack is a platform-specific delivery mechanism that tailors its payload based on the victim’s operating system. Whether the target is running Windows, macOS, or Linux, the final stage is the deployment of WAVESHAPER.V2—a potent backdoor.

This malware acts as a fully functional Remote Access Trojan (RAT) with a wide array of capabilities:

• Reconnaissance: Extracts hostname, username, OS version, and detailed process lists.
• File System Enumeration: Recursively searches through directories to return detailed metadata.
• Command Execution: Supports arbitrary shell commands and “in-memory Portable Executable (PE) injection”.
• Backdoor Commands: Includes specific instructions like kill, rundir, and runscript to control the infected host.

GTIG has attributed this campaign to UNC1069, a “financially motivated North Korea-nexus threat actor active since at least 2018”. This attribution is supported by technical overlaps in C2 infrastructure and the evolution of the WAVESHAPER malware itself.

WAVESHAPER.V2 represents a significant upgrade over its predecessor, moving to JSON-based communication and supporting a broader range of commands, though it still shares the “identical C2 polling behaviors and an uncommon User-Agent string”.

The implications of this attack are “broad and has ripple effects as other popular packages rely on axios as a dependency”. With hundreds of thousands of secrets potentially stolen across recent supply chain attacks, the security landscape is facing a period of high risk.

“Supply chain compromise is a particularly dangerous tactic because it abuses the inherent trust that users and enterprise administrators place in hardware, software, and updates,” the report concludes. Enterprises are urged to immediately assess their environments, remove compromised axios versions, and harden their software ingestion pipelines against future threats.