North Korean Hackers Infect Windows, macOS, Linux via Axios

North Korean state-sponsored threat actors have launched a significant software supply chain attack, compromising the widely adopted Axios NPM package to distribute malware across Windows, macOS, and Linux systems. A <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/26

The poisoned releases, axios 1.14.1 and 0.30.4, pulled in plain-crypto-js and quietly delivered the WAVESHAPER.V2 backdoor to Windows, macOS, and Linux systems during installation.

The incident is serious because axios is one of the most common libraries for handling HTTP requests, and the affected branches normally draw very large weekly download volumes.

That reach means one compromised package update could expose developer laptops, build servers, CI/CD pipelines, and downstream applications that trusted the official package stream.

After reviewing the intrusion, Google Cloud researchers detected the attacker likely compromised the axios maintainer account, changed the email tied to it, and then inserted plain-crypto-js version 4.2.1 into the package.

The company linked the activity to UNC1069, a financially motivated North Korea-nexus threat actor, based on overlaps in infrastructure and the use of the updated WAVESHAPER.V2 malware family.

What makes this campaign especially dangerous is its simple delivery method. Instead of waiting for a user to open a file or click a link, the malicious code abused the normal NPM install process through a postinstall hook, allowing the dropper to run in the background as soon as the tainted axios package was installed.

How the infection worked

The infection chain centered on an obfuscated JavaScript dropper called setup.js, which GTIG also tracks as SILKBELL. Once executed, the script checked the operating system and delivered a different payload for each platform.

On Windows, it searched for powershell.exe, copied it to another path to reduce suspicion, downloaded a PowerShell stage with curl, and ran it with hidden and execution-policy-bypass options.

On macOS, it used bash and curl to place a Mach-O binary in /Library/Caches/com.apple.act.mond, changed file permissions, and launched it through zsh. On Linux, it downloaded a Python backdoor to /tmp/ld.py.

The malware also tried to hide what it had done. Google’s analysis showed that setup.js attempted to delete itself after dropping the next stage and restore the altered package.json from a stored copy so forensic review would be harder.

The final payload, WAVESHAPER.V2, then beaconed to its command-and-control server every 60 seconds over port 8000 using Base64-encoded JSON and a hard-coded user-agent string.

This backdoor gives the attackers far more than simple remote access. GTIG said the malware can collect system details, list files and directories, run scripts, inject or execute additional payloads, and wait for more commands from the server.

On Windows, the threat can also persist by creating a hidden batch file and adding a MicrosoftUpdate entry under the current user’s Run registry key so it launches at logon.

For defenders, the response should begin with package control and host containment. Google said organizations should avoid axios versions 1.14.1 and 0.30.4, pin projects to known-good releases such as 1.14.0 or earlier and 0.30.3 or earlier, and check lockfiles for plain-crypto-js versions 4.2.0 or 4.2.1.

Any system that installed the malicious dependency should be treated as compromised, rebuilt or reverted to a known-good state, and followed by credential rotation for tokens, API keys, and other secrets that may have been present on the host.

Teams should also pause affected CI/CD jobs, clear npm, yarn, and pnpm caches, block traffic to sfrclak[.]com and 142.11.206.73, and watch for suspicious child processes spawned from Node.js applications.

The wider lesson is clear: trusted open source packages can become intrusion points with very little warning. In this case, the attackers used routine developer behavior, package installation, to move from a software update into full cross-platform compromise.

Since axios sits deep inside many dependency trees, organizations now need to review not only direct installations but also inherited exposure across build pipelines, internal tools, and production services.

Where plain-crypto-js is found, defenders should assume the malware may have reached beyond the first machine and validate nearby systems for related activity. Speed matters most, ad the early containment can limit follow-on abuse.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.