Malware on npm: HTTP client axios loads backdoor for Windows, macOS, and Linux
The maintainer account for the axios package on npm was compromised to inject a remote access trojan for Windows, macOS, and Linux.
(Image: Gorodenkoff/Shutterstock.com)
There has been another supply chain attack on the JavaScript package manager npm: The HTTP client axios had a backdoor on board. Attackers had previously taken over the axios maintainer's account. The attack is likely by the North Korean group UNC1069.
Version 1.14.1, released by the attackers on March 30, is affected. Meanwhile, npm again has version 1.14.0 without malware available, and the original maintainer has regained control of the package. Anyone using axios should check if the malware-infected version has made its way onto their system meanwhile. In addition to version 1.14.1, the attackers also released version 0.30.4 with the malware on npm, which also no longer exists.
Cross-platform attack
The attackers first gained access to the npm maintainer's account via social engineering and then added the dependency “plain-crypto-js@4.2.1” to version 1.14.1 of axios, which executes the JavaScript dropper setup.js in the “postinstall” hook.
(Image:Â AliaAyah / Shutterstock)
On September 22 and 23, the heise devSec 2026 will take place. The tenth edition of the conference on secure software development moves to Marburg this year. The motto remains "Secure software starts before the first line of code."
The dropper behaves differently depending on the operating system. On Windows, it loads a PowerShell script; on macOS, a Mach-O binary; and on Linux, a Python backdoor. Several methods are used to conceal the attack: The script is obfuscated with Base64 and XOR, and setup.js attempts to delete itself and reset the package.json file after successfully loading the payload.
Command & Control
The platform-specific malware then loads the backdoor, which Google Threat Intelligence identified in an analysis as WAVESHAPER.V2 due to its strong similarities to the WAVESHAPER backdoor that emerged in February 2026. Since the original backdoor is attributed to the UNC1069 group, Google Threat Intelligence suspects that the North Korean group is also behind the attack on axios.
Videos by heise
WAVESHAPER.V2 ultimately functions as a remote access trojan: The software contacts a C2 server (Command & Control) and expects commands like runscript, peinject or rundir from the server every minute, to execute further scripts or executables or to retrieve information about directories and files. The kill command terminates execution. Google Threat Intelligence considers WAVESHAPER.V2 a direct evolution of the original WAVESHAPER.
Back to version 1.14.0
Anyone using the axios package should check if versions 1.14.1 or 0.30.4 with the malware have entered their system. Automated systems should be pinned to the fixed version number instead of downloading the latest version.
In the post by Google Threat Intelligence, there is an overview of indicators pointing to an attack, including network traffic to IP addresses 142.11.206.73 or 23.254.167.216.
(rme)
