UNC1069 Hijacks Axios npm Package: North Korean RAT Hits 12,000+ Projects in Three Hours

A North Korean threat actor hijacked the axios npm package on March 31, 2026, injecting a cross-platform remote access trojan into one of the most widely used JavaScript libraries on the planet. The exposure window lasted roughly three hours [8], but with axios pulling over 100 million weekly downloads [7], the blast radius is potentially one of the largest in npm history [2]. Google Threat Intelligence Group (GTIG) formally attributed the attack to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018 [3]. CrowdStrike separately attributed the activity to STARDUST CHOLLIMA with moderate confidence, noting that DPRK-nexus adversaries frequently share infrastructure, which prevents higher-confidence attribution.

Socket.dev detected the compromise within six minutes [14], but by the time the malicious versions were pulled, StepSecurity's Harden-Runner tool had already flagged anomalous command-and-control contact in over 12,000 projects [8]. Huntress observed at least 135 endpoints across all operating systems reaching out to attacker infrastructure within its partner base alone [6].

Background: UNC1069 and North Korean Supply Chain Operations

UNC1069 is not a newcomer. GTIG tracks this cluster as a financially motivated group with operations dating back to 2018, primarily focused on cryptocurrency theft [3]. North Korean hackers have "deep experience with supply chain attacks, which they've historically used to steal cryptocurrency" [4]. Infrastructure used in this axios compromise overlaps with previous UNC1069 operations [3], giving GTIG high confidence in the attribution.

The operational sophistication here is notable. The threat actors staged the malicious dependency (plain-crypto-js) a full day before the account takeover [7]. This pre-positioning meant the poisoned package was already live on npm when the attackers pivoted to compromising the axios maintainer account. The 18-hour pre-staging indicates deliberate operational planning.

CrowdStrike's parallel attribution to STARDUST CHOLLIMA adds an important wrinkle. The deployment of malware CrowdStrike tracks as ZshBucket, combined with overlapping infrastructure, supports the DPRK nexus. However, CrowdStrike holds attribution at moderate confidence rather than high. This kind of infrastructure overlap between North Korean clusters is common and reflects the shared resource model that DPRK cyber operations have used for years.

The Account Takeover

The attackers compromised the npm account of maintainer Jason Saayman (jasonsaayman) [5] [7]. They changed Saayman's email address to an attacker-controlled ProtonMail account for persistence [2] and also hijacked his GitHub account [7]. With credentials in hand, they published the malicious versions via npm CLI [7].

Two backdoored versions went live within a 39-minute window [5]:

• axios@1.14.1, tagged as latest [1] [5]
• axios@0.30.4, tagged as legacy [1] [5]

Tagging both versions as latest and legacy was a calculated move. Any developer running a standard npm install axios would pull 1.14.1 by default, while projects pinned to the 0.x branch would get 0.30.4 [2]. This dual-tagging strategy maximized the attack surface across both active and legacy codebases.

The Phantom Dependency: plain-crypto-js

Here's what made this attack particularly insidious: "There are zero lines of malicious code inside axios itself" [1]. The backdoored axios versions simply added a new dependency, plain-crypto-js@4.2.1, to the package manifest [1]. All the malicious logic lived in that phantom dependency.

The plain-crypto-js package contained a postinstall script (setup.js) that served as the initial dropper [1]. This script used two layers of obfuscation to avoid static analysis [11]: an XOR cipher with key OrDeR_7077 and constant value 333, plus reversed Base64 encoding with padding character substitution [11].

After execution, the malware replaced its own package.json with a clean decoy, effectively self-deleting the evidence trail [11]. By the time a developer inspected their node_modules directory, the dropper had already done its work and covered its tracks.

WAVESHAPER.V2: A Cross-Platform RAT

The payload deployed by the dropper is a backdoor GTIG tracks as WAVESHAPER.V2 [3]. This is a cross-platform remote access trojan with implementations for Windows, macOS, and Linux, all sharing an identical C2 protocol [5]. Elastic Security Labs confirmed that "the attacker deployed three parallel implementations of the same RAT" [5].

The RAT established outbound connections to sfrclak[.]com (resolving to 142.11.206.73) [1] [11].

The identical C2 protocol across platforms suggests a shared codebase or at minimum a shared specification document, which aligns with the resource-sharing model seen across North Korean cyber operations. A single operator could manage compromised endpoints regardless of OS.

Indicators of Compromise

MITRE ATT&CK Mapping

Detection and Hunting

Network-level hunting is the fastest way to identify compromised systems. Query DNS logs and proxy logs for connections to sfrclak[.]com and the known C2 IP (142.11.206.73). In Splunk:

index=dns (query="*sfrclak.com" OR query="*sfrclak*")
| stats count by src_ip, query, _time

index=proxy dest_ip="142.11.206.73"
| stats count by src_ip, dest_ip, dest_port, _time

Package audit across all repositories and CI/CD environments. Search for plain-crypto-js anywhere in node_modules, package-lock.json, or yarn.lock files. Its presence is a definitive indicator of compromise. In a Unix environment:

find / -name "package-lock.json" -exec grep -l "plain-crypto-js" {} \;

Endpoint detection should focus on processes spawned by Node.js that establish outbound network connections immediately after npm install operations. The postinstall hook in setup.js [1] is the execution trigger. EDR tools should flag any child processes of node or npm that connect to external IPs within seconds of package installation.

CI/CD pipeline logs deserve special attention. Automated builds that ran between 00:21 and 03:20 UTC on March 31 [3] and pulled axios without a pinned version are the highest-risk targets. Review build logs for that window and check whether the resolved axios version was 1.14.1 or 0.30.4.

Analysis

This attack lands in the context of an intensifying wave of software supply chain compromises. Just days earlier, UNC6780 (also known as TeamPCP) compromised Aqua Security's Trivy scanner via GitHub Actions [9] and backdoored LiteLLM on PyPI [10]. The axios attack is distinct in attribution and tradecraft, but the timing is worth noting: three major supply chain compromises in under two weeks, targeting different ecosystems (npm, PyPI, GitHub Actions) and different toolchains.

UNC1069's choice of axios was not random. A package with 100 million weekly downloads tagged as latest guarantees maximum propagation with minimum effort. The three-hour window was enough. StepSecurity's detection of C2 contact in over 12,000 projects [8] likely represents a fraction of the total impact, since that number only reflects projects using Harden-Runner.

The financial motivation GTIG assigns to UNC1069 [3] [4] tracks with the RAT deployment model. WAVESHAPER.V2 gives persistent access to developer machines, which are treasure troves of credentials, cloud keys, and access to production infrastructure. For a group historically focused on cryptocurrency theft [4], compromising developer endpoints is a direct path to wallet keys and exchange credentials.

References

1. StepSecurity: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
2. SOCRadar: Axios npm Hijack 2026: Everything You Need to Know
3. Google Cloud Blog: North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package
4. The Hacker News: Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069
5. Elastic Security Labs: Inside the Axios supply chain compromise
6. Huntress: Supply Chain Compromise of axios npm Package
7. Infosecurity Magazine: Hackers Hijack Axios npm Package to Spread RATs
8. Tenable: Axios npm Supply Chain Attack FAQ
9. Wiz: Trivy Compromised by TeamPCP
10. Endor Labs: TeamPCP Isn't Done
11. Snyk: Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT
12. Tenable: Axios npm Supply Chain Attack FAQ

Hunt Guide: Hunt Report: UNC1069 npm Supply Chain Compromise

Hypothesis: If UNC1069/STARDUST CHOLLIMA is active in our environment, we expect to observe DNS queries to sfrclak[.]com, connections to 142.11.206.73, presence of plain-crypto-js in node_modules, and Node.js processes spawning network connections immediately after npm install operations.

Intelligence Summary: North Korean threat actor UNC1069 hijacked the axios npm package on March 31, 2026, injecting the WAVESHAPER.V2 cross-platform RAT via a malicious dependency (plain-crypto-js). The three-hour exposure window resulted in over 12,000 confirmed compromises, with the malware establishing C2 connections to sfrclak[.]com.

Confidence: High | Priority: Critical

Scope

• Networks: All developer workstations, CI/CD systems, build servers, and any systems with Node.js/npm installed
• Timeframe: Priority: March 31, 2026 00:00 UTC - present. Extended: March 30, 2026 - present (to catch pre-positioning)
• Priority Systems: CI/CD pipelines, developer laptops with production access, build servers with deployment credentials, npm registry proxies/mirrors

MITRE ATT&CK Techniques

T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain (Initial Access) [P1]

UNC1069 hijacked the legitimate axios npm package and injected malicious dependency plain-crypto-js to distribute WAVESHAPER.V2 RAT

Splunk SPL:

index=* sourcetype=npm_audit OR sourcetype=application_logs ("plain-crypto-js" OR "axios@1.14.1" OR "axios@0.30.4") | stats count by host, package_name, package_version, _time | where package_name="plain-crypto-js" OR (package_name="axios" AND (package_version="1.14.1" OR package_version="0.30.4"))

Elastic KQL:

(package.name:"plain-crypto-js" OR (package.name:"axios" AND (package.version:"1.14.1" OR package.version:"0.30.4"))) AND (event.category:"package" OR event.category:"file")

Sigma Rule:

title: Malicious npm Package Installation - UNC1069
id: 8f3e4b2a-1234-5678-abcd-ef1234567890
status: production
description: Detects installation of malicious axios versions or plain-crypto-js dependency
references:
  - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
author: Threat Hunt Team
date: 2026/04/01
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: application
  product: nodejs
detection:
  selection:
    - package_name: 'plain-crypto-js'
    - package_name: 'axios'
      package_version:
        - '1.14.1'
        - '0.30.4'
  condition: selection
falsepositives:
  - None expected
level: critical

Focus on package installations between March 31 00:21-03:20 UTC. Check package-lock.json and yarn.lock files for persistence.

T1078 — Valid Accounts (Defense Evasion) [P1]

Attackers compromised npm maintainer Jason Saayman's credentials, changing email to ProtonMail account for persistence

Splunk SPL:

index=* sourcetype=npm_auth OR sourcetype=github_auth (email_change OR account_modification) user="jasonsaayman" | eval suspicious=if(match(new_email, ".*@protonmail\.com$"), "Yes", "No") | where suspicious="Yes" | stats count by user, action, old_email, new_email, src_ip, _time

Elastic KQL:

(event.action:"account.email.changed" OR event.action:"account.modified") AND user.name:"jasonsaayman" AND user.email:*protonmail.com

Sigma Rule:

title: npm Account Email Changed to ProtonMail
id: 9a2b3c4d-2345-6789-bcde-f23456789012
status: production
description: Detects npm or GitHub account email changes to ProtonMail domains
references:
  - https://www.infosecurity-magazine.com/news/hackers-hijack-axios-npm-package/
author: Threat Hunt Team
date: 2026/04/01
tags:
  - attack.defense_evasion
  - attack.t1078
logsource:
  service: npm
detection:
  selection:
    event_type:
      - 'email_change'
      - 'account_modification'
    new_email|endswith: '@protonmail.com'
  condition: selection
falsepositives:
  - Legitimate ProtonMail usage by developers
level: high

Check for simultaneous npm and GitHub account modifications. Look for IP address consistency across platforms.

T1059.007 — Command and Scripting Interpreter: JavaScript (Execution) [P1]

Malicious postinstall script (setup.js) executes during npm package installation to drop WAVESHAPER.V2

Splunk SPL:

index=* sourcetype=sysmon EventCode=1 (Image="*\\node.exe" OR Image="*/node") CommandLine="*setup.js*" | join type=outer host [search index=* sourcetype=sysmon EventCode=11 TargetFilename="*setup.js*" | eval file_created=_time] | where file_created < _time | stats values(CommandLine) as commands, values(TargetFilename) as files by host, ParentImage, _time

Elastic KQL:

(process.name:"node" OR process.name:"node.exe") AND (process.command_line:*setup.js* OR process.args:*setup.js*) AND event.action:"process_started"

Sigma Rule:

title: Suspicious npm Postinstall Script Execution
id: ab3c4d5e-3456-789a-cdef-123456789abc
status: production
description: Detects execution of setup.js postinstall scripts potentially related to UNC1069
references:
  - https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all
author: Threat Hunt Team
date: 2026/04/01
tags:
  - attack.execution
  - attack.t1059.007
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
      - '/node'
    CommandLine|contains: 'setup.js'
  filter:
    ParentImage|contains:
      - 'npm'
      - 'yarn'
  condition: selection and filter
falsepositives:
  - Legitimate postinstall scripts named setup.js
level: high

Monitor for Node.js processes executing immediately after npm install commands. Check for network connections within seconds of execution.

T1027 — Obfuscated Files or Information (Defense Evasion) [P2]

Dropper uses XOR cipher with key 'OrDeR_7077' and reversed Base64 encoding to evade detection

Splunk SPL:

index=* sourcetype=sysmon EventCode=1 (CommandLine="*OrDeR_7077*" OR CommandLine="*base64*" OR CommandLine="*reverse*") ParentImage="*node*" | regex CommandLine="(OrDeR_7077|atob|reverse|charAt|fromCharCode)" | stats count by host, CommandLine, Image, _time

Elastic KQL:

process.parent.name:"node" AND process.command_line:("*OrDeR_7077*" OR "*atob*" OR "*reverse*" OR "*fromCharCode*")

Look for JavaScript deobfuscation patterns. The constant value 333 may appear in memory strings.

T1070.004 — Indicator Removal: File Deletion (Defense Evasion) [P2]

Malware replaces its own package.json with clean decoy to remove evidence

Splunk SPL:

index=* sourcetype=sysmon (EventCode=23 OR EventCode=26) TargetFilename="*package.json*" Image="*node*" | transaction host TargetFilename startswith=(EventCode=23) endswith=(EventCode=26) maxspan=5s | where eventcount>=2 | table host, TargetFilename, Image, _time

Elastic KQL:

(event.action:"file_delete" OR event.action:"file_overwrite") AND file.path:*package.json AND process.name:"node"

Monitor for rapid file deletion and recreation of package.json files within node_modules directories.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

WAVESHAPER.V2 RAT establishes C2 communication to sfrclak[.]com over HTTPS

Splunk SPL:

index=* sourcetype=stream:dns OR sourcetype=bro:dns query="sfrclak.com" OR query="*.sfrclak.com" | stats count by src_ip, query, answers{}.rdata, _time | rename answers{}.rdata as resolved_ip

Elastic KQL:

dns.question.name:"sfrclak.com" OR destination.ip:"142.11.206.73" OR destination.domain:"sfrclak.com"

Monitor for DNS resolution followed immediately by HTTPS connections. Check for unusual User-Agent strings from Node.js processes.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (dest="sfrclak.com" OR query="sfrclak.com" OR url="*sfrclak.com*") | stats count by index, sourcetype, src_ip, dest, _time | sort -_time

index=* (dest_ip="142.11.206.73" OR dst="142.11.206.73" OR dest="142.11.206.73") | stats count by index, sourcetype, src_ip, dest_port, _time | sort -_time

index=* "plain-crypto-js" NOT sourcetype=stash | stats count by index, sourcetype, host, _time | where count > 0

index=* (filename="setup.js" OR file_name="setup.js" OR TargetFilename="*setup.js") | stats count by index, sourcetype, host, file_path, _time

index=* "axios@1.14.1" OR "axios" AND "1.14.1" | stats count by index, sourcetype, host, _time

index=* "axios@0.30.4" OR "axios" AND "0.30.4" | stats count by index, sourcetype, host, _time

index=* "@protonmail.com" (email_change OR account_modified OR new_email) | stats count by index, sourcetype, user, old_email, new_email, _time

YARA Rules

UNC1069_PlainCryptoJS_Dropper — Detects plain-crypto-js dropper with XOR key and obfuscation patterns

rule UNC1069_PlainCryptoJS_Dropper {
    meta:
        description = "Detects UNC1069 plain-crypto-js npm package dropper"
        author = "Threat Hunt Team"
        date = "2026-04-01"
        reference = "https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/"
    strings:
        $xor_key = "OrDeR_7077" ascii
        $const_val = "333" ascii
        $setup_js = "setup.js" ascii nocase
        $package_name = "plain-crypto-js" ascii
        $obfusc1 = "fromCharCode" ascii
        $obfusc2 = "reverse" ascii
        $obfusc3 = "atob" ascii
        $npm_cmd = "npm" ascii
        $postinstall = "postinstall" ascii
    condition:
        ($xor_key and $const_val) or 
        ($setup_js and $package_name and any of ($obfusc*)) or
        ($package_name and $postinstall and 2 of ($obfusc*))
}

WAVESHAPER_V2_Strings — Detects WAVESHAPER.V2 RAT string indicators

rule WAVESHAPER_V2_Strings {
    meta:
        description = "Detects WAVESHAPER.V2 cross-platform RAT"
        author = "Threat Hunt Team"
        date = "2026-04-01"
        reference = "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package"
    strings:
        $c2_domain = "sfrclak.com" ascii
        $c2_ip = "142.11.206.73" ascii
        $rat_name = "WAVESHAPER" ascii wide
        $mutex1 = /[a-zA-Z0-9]{8}-wave-[a-zA-Z0-9]{4}/
        $func1 = "executeCommand" ascii
        $func2 = "downloadFile" ascii
        $func3 = "uploadFile" ascii
        $func4 = "getSystemInfo" ascii
    condition:
        ($c2_domain or $c2_ip) and (
            $rat_name or
            $mutex1 or
            3 of ($func*)
        )
}

Suricata Rules

SID 2026033101 — ET TROJAN UNC1069 WAVESHAPER.V2 C2 Domain DNS Query

alert dns $HOME_NET any -> any any (msg:"ET TROJAN UNC1069 WAVESHAPER.V2 C2 Domain DNS Query"; dns.query; content:"sfrclak.com"; nocase; sid:2026033101; rev:1;)

SID 2026033102 — ET TROJAN UNC1069 WAVESHAPER.V2 C2 IP Connection

alert tcp $HOME_NET any -> 142.11.206.73 any (msg:"ET TROJAN UNC1069 WAVESHAPER.V2 C2 IP Connection"; flow:established,to_server; sid:2026033102; rev:1;)

SID 2026033103 — ET TROJAN UNC1069 WAVESHAPER.V2 TLS Certificate CN

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN UNC1069 WAVESHAPER.V2 TLS Certificate CN"; tls.cert_subject; content:"CN=sfrclak.com"; sid:2026033103; rev:1;)

Data Source Requirements

Sources

• StepSecurity: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
• SOCRadar: Axios npm Hijack 2026: Everything You Need to Know
• Google Cloud Blog: North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package
• The Hacker News: Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069
• Elastic Security Labs: Inside the Axios supply chain compromise
• Huntress: Supply Chain Compromise of axios npm Package
• Infosecurity Magazine: Hackers Hijack Axios npm Package to Spread RATs
• Tenable: Axios npm Supply Chain Attack FAQ
• Wiz: Trivy Compromised by TeamPCP
• Endor Labs: TeamPCP Isn't Done
• Snyk: Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT