The North Korea-nexus threat actor UNC1069 successfully compromised the distribution channel for Axios‚ the most popular JavaScript HTTP client library. This supply chain attack delivered a multi-stage remote access trojan to developer workstations and CI/CD runners during a three-hour exposure window on March 31.
The attacker hijacked the maintainer account on @[GitHub](urn:li:organization:19041) and published malicious Axios versions 1.14.1 and 0.30.4. These versions introduced a dependency named plain-crypto-js which utilized a postinstall hook to execute an obfuscated dropper. The final payload‚ WAVESHAPER.V2‚ automates the theft of cloud credentials‚ SSH keys‚ and Kubernetes tokens from the infected environment.
This incident highlights the failure of identity-only trust models in software distribution. Despite the use of OIDC Trusted Publishing‚ the fallback to long-lived NPM_TOKEN environment variables allowed the attacker to bypass modern provenance controls. Organizations must move beyond trusting package names and implement behavioral monitoring for build processes.
– Audit package-lock.json and yarn.lock files for Axios versions 1.14.1 or 0.30.4 and the plain-crypto-js package.
– Revert to Axios version 1.14.0 or 0.30.3 and enforce strict version pinning in all repository configurations.
– Rotate every secret‚ including AWS-vault tokens and service account keys‚ present in any environment where the malicious versions were executed.
– Revoke all long-lived npm tokens and transition to OIDC-only publishing to eliminate fallback vulnerabilities.
Dependency pinning is a baseline requirement‚ but the rotation of exposed secrets is the only way to remediate the long-term risk of credential-based lateral movement. #CodeDefence #SupplyChain #Axios #UNC1069
/