One of the most trusted HTTP client libraries in the JavaScript ecosystem was weaponized by a North Korea-nexus actor to distribute a cross-platform remote access trojan. This attack specifically targeted the developer workstations and automated build pipelines that pull the latest versions of the Axios npm package.
On March 31, 2026, the threat actor UNC1069 ❨also known as Sapphire Sleet❩ compromised a maintainer account and published poisoned versions 1.14.1 and 0.30.4. These releases delivered the WAVESHAPER.V2 backdoor to Windows, macOS, and Linux systems. The malware automates the exfiltration of environment variables, cloud access keys, and GitHub personal access tokens during the npm install or update workflow.
Organizations frequently prioritize speed over dependency integrity in their CI/CD workflows, often relying on implicit trust in a reputable package name. When a primary library is compromised, the attack surface is no longer your perimeter, but the verified code running inside your production infrastructure.
– Check project lockfiles for Axios versions 1.14.1 or 0.30.4 and reference to plain-crypto-js.
– Revert to Axios 1.14.0 or 0.30.3 immediately and delete affected node_modules directories.
– Rotate all secrets present in environment variables on any system where the poisoned versions executed.
– Enforce SHA-256 hash pinning for all critical npm dependencies to prevent automated version hijacking.
Implicit trust in collaborative code-sharing communities is a systemic risk that requires architectural hardening rather than simple patching. #CodeDefence #SupplyChain #Axios #UNC1069
/