One of the most trusted HTTP client libraries in the JavaScript ecosystem has been weaponized by a North Korea-nexus actor to distribute a cross-platform remote access trojan. This attack specifically targets the developer workstations and automated build pipelines that pull the latest versions of the Axios npm package.
On March 31, 2026, the threat actor UNC1069 compromised the maintainer account for Axios and published poisoned versions 1.14.1 and 0.30.4. These releases delivered the WAVESHAPER.V2 backdoor to an estimated 600,000 installs during a three-hour window. The malware automates the exfiltration of environment variables, cloud access keys, and GitHub personal access tokens from Windows, macOS, and Linux systems.
Organizations frequently prioritize speed over dependency integrity in their CI/CD workflows, often relying on implicit trust in a reputable package name. When a primary library is compromised, the attack surface is no longer your perimeter, but the verified code running inside your production infrastructure.
– Check project lockfiles for Axios versions 1.14.1 or 0.30.4 and reference to plain-crypto-js.
– Revert to Axios 1.14.0 or 0.30.3 immediately and delete affected node_modules directories.
– Rotate all secrets present in environment variables on any system where the poisoned versions executed.
– Enforce SHA-256 hash pinning for all critical npm dependencies to prevent automated version hijacking.
Implicit trust in collaborative code-sharing communities is a systemic risk that requires architectural hardening rather than simple patching. #CodeDefence #SupplyChain #Axios #UNC1069
/