
The 39-Minute Sabotage: How State-Sponsored Hackers Hijacked 100 Million Axios Downloads
supply chain attackaxiosNorth Korean threat actorUNC1069Nickel GladstoneWaveshaper.v2npmJavaScript
A North Korean threat actor compromised the npm account of the axios JavaScript library's primary maintainer, injecting a malicious dependency that deployed a backdoor called Waveshaper.v2 across Windows, Linux, and macOS putting over 100 million weekly downloads at risk. The attack was highly coordinated, with malicious payloads staged 18 hours in advance and both release branches poisoned within 39 minutes, marking it as one of the most operationally sophisticated supply chain attacks ever documented against a major npm package.
Indicators of Compromise
process.nameAlienVault2026-04-06
linuxpackages.npm.orgAlienVault2026-04-06
packages.npm.orgAlienVault2026-04-06
sfrclak.comAlienVault2026-04-06
windowspackages.npm.orgAlienVault2026-04-06
domainsfrclak.comAlienVault2026-04-06
process.parent.nameAlienVault2026-04-06
macospackages.npm.orgAlienVault2026-04-06
APT Groups1
UNC1069KP
MASANCryptoCore
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTION
ID | Description |
|---|---|
DET0009 | Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) |
DET0027 | Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets |
DET0060 | Detect Ingress Tool Transfers via Behavioral Chain |
DET0140 | Behavioral Detection of Malicious File Deletion |
DET0264 | Cross-Platform Detection of JavaScript Execution Abuse |
Observed Countries1
KR (121)