Campaigns
The 39-Minute Sabotage: How State-Sponsored Hackers Hijacked 100 Million Axios Downloads

The 39-Minute Sabotage: How State-Sponsored Hackers Hijacked 100 Million Axios Downloads

supply chain attackaxiosNorth Korean threat actorUNC1069Nickel GladstoneWaveshaper.v2npmJavaScript
A North Korean threat actor compromised the npm account of the axios JavaScript library's primary maintainer, injecting a malicious dependency that deployed a backdoor called Waveshaper.v2 across Windows, Linux, and macOS putting over 100 million weekly downloads at risk. The attack was highly coordinated, with malicious payloads staged 18 hours in advance and both release branches poisoned within 39 minutes, marking it as one of the most operationally sophisticated supply chain attacks ever documented against a major npm package.

Indicators of Compromise

process.name
linuxpackages.npm.org
packages.npm.org
sfrclak.com
windowspackages.npm.org
domainsfrclak.com
process.parent.name
macospackages.npm.org

APT Groups1

UNC1069KP
MASANCryptoCore

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTION

ID

Description

DET0009

Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)

DET0027

Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets

DET0060

Detect Ingress Tool Transfers via Behavioral Chain

DET0140

Behavioral Detection of Malicious File Deletion

DET0264

Cross-Platform Detection of JavaScript Execution Abuse

Observed Countries1

KR (121)