SOC Incident Toolkit
Back to Campaigns
The 39-Minute Sabotage: How State-Sponsored Hackers Hijacked 100 Million Axios Downloads

The 39-Minute Sabotage: How State-Sponsored Hackers Hijacked 100 Million Axios Downloads

supply chain attackaxiosNorth Korean threat actorUNC1069Nickel GladstoneWaveshaper.v2npmJavaScript

A North Korean threat actor compromised the npm account of the axios JavaScript library's primary maintainer, injecting a malicious dependency that deployed a backdoor called Waveshaper.v2 across Windows, Linux, and macOS putting over 100 million weekly downloads at risk. The attack was highly coordinated, with malicious payloads staged 18 hours in advance and both release branches poisoned within 39 minutes, marking it as one of the most operationally sophisticated supply chain attacks ever documented against a major npm package.

Indicators of Compromise

Domains (8)

process.namelinuxpackages.npm.orgpackages.npm.orgsfrclak.comwindowspackages.npm.orgdomainsfrclak.comprocess.parent.namemacospackages.npm.org

Hashes (31)

e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff978407431d75885228e0776913543992a9eb7cc49663665850cdd8fe12e30a671e5c4e6f04e3073b3cd5c5bfcde6f575ecf6e8c1fcb81618bb15edfdedfb638b4c08a2af9cac9ecba551af135a8402bf980375cfae39c4c550ad656622736134035f17ca7a66a7422553649f2322049666871cea80a5d0d6adc700ca617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101b0e0f12f1be57dc67fa375e860cedd19553c464da90c26e7cbb3440ac1cad75cf351cbedef7744a8db7f4c82c732e8b107492cae419740ab92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a59faac136680104948e083b3b67a70af9bfa5d5efcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cfd6f3f62fd3b9f5432f5782b62d8cfd5247d5ee717a9ddef00f69477b96252ca234fcbeeb7658962ae060a222c0058cd4e979bfa1dbd62d788ce8dcaa96116a73f70ee24813d594288c782b59a786f18520673e8d669e3b0ae10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09+11 more

IPv4 (2)

23.254.167.216142.11.206.73

APT Groups

UNC1069

KP

Notes

<span id="docs-internal-guid-85f4f8d0-7fff-053f-78e7-ae1762ffdce6"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION<br></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The North Korean threat actor demonstrates strategic adaptability by leveraging supply chain attacks to infiltrate widely used software libraries like axios. This approach allows them to potentially impact a vast number of users across different operating systems, showcasing their capability to execute sophisticated cyber operations. The specific impact on the software sector is significant, as the axios library is integral to many applications, and the compromise could lead to unauthorized access and data breaches. Countries like North Korea continue to pose a threat to global cybersecurity, with their actors targeting critical software components. To mitigate such risks, organizations should utilize SOCRadar IOC Radar for investigating indicators of compromise, SOCRadar Dark Web Monitoring for detecting credential leaks, SOCRadar Cyber Threat Intelligence for tracking threat actor tactics, techniques, and procedures, SOCRadar Brand Protection for identifying phishing domains, and SOCRadar Attack Surface Management for maintaining visibility over exposed assets. These tools can help organizations strengthen their defenses against evolving cyber threats.</span></div><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>

Mitigation

<span id="docs-internal-guid-4e3d69b0-7fff-92ea-40e5-d48c1335e401"><div style="margin-left:0pt;" align="left"><b>MITIGATION<br><br></b><span id="docs-internal-guid-4712f632-7fff-902f-9162-d710a3af130f"><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #aaaaaa 0.5pt;border-right:solid #aaaaaa 0.5pt;border-bottom:solid #aaaaaa 0.5pt;border-top:solid #aaaaaa 0.5pt;vertical-align:middle;background-color:#1f3864;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></th><th style="border-left:solid #aaaaaa 0.5pt;border-right:solid #aaaaaa 0.5pt;border-bottom:solid #aaaaaa 0.5pt;border-top:solid #aaaaaa 0.5pt;vertical-align:middle;background-color:#1f3864;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(170, 170, 170); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1015</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(170, 170, 170); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:3pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Active Directory Configuration</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Implement robust Active Directory (AD) configurations using group policies to secure user accounts, control access, and minimize the attack surface. AD configurations enable centralized control over account settings, logon policies, and permissions, reducing the risk of unauthorized access and lateral movement within the network.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #aaaaaa 0.5pt;border-right:solid #aaaaaa 0.5pt;border-bottom:solid #aaaaaa 0.5pt;border-top:solid #aaaaaa 0.5pt;vertical-align:top;background-color:#eef2f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1016</span></p></td><td style="border-left:solid #aaaaaa 0.5pt;border-right:solid #aaaaaa 0.5pt;border-bottom:solid #aaaaaa 0.5pt;border-top:solid #aaaaaa 0.5pt;vertical-align:top;background-color:#eef2f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:3pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Vulnerability Scanning</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.</span></p></td></tr><tr style="height:0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(170, 170, 170); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1017</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(170, 170, 170); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:3pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Training</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #aaaaaa 0.5pt;border-right:solid #aaaaaa 0.5pt;border-bottom:solid #aaaaaa 0.5pt;border-top:solid #aaaaaa 0.5pt;vertical-align:top;background-color:#eef2f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></p></td><td style="border-left:solid #aaaaaa 0.5pt;border-right:solid #aaaaaa 0.5pt;border-bottom:solid #aaaaaa 0.5pt;border-top:solid #aaaaaa 0.5pt;vertical-align:top;background-color:#eef2f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:3pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies.</span></p></td></tr></tbody></table></div></span></div></span>