Lazarus Group Exposes Vulnerabilities in Axios npm Supply Chain Attack
On March 31, 2026, a significant security breach involving the Axios npm supply chain was uncovered, revealing that malicious packages had infiltrated one of JavaScript’s most widely utilized libraries. This incident has been attributed to North Korea’s Lazarus Group, a notorious cybercriminal organization. The implications of this attack extend far beyond the immediate technical vulnerabilities, highlighting critical weaknesses in software supply chains and the potential for widespread exploitation.
The Nature of the Attack
Between 00:21 and 03:20 UTC on March 31, attackers introduced a harmful dependency named plain-crypto-js into the Axios npm releases, specifically versions 1.14.1 and 0.30.4. Axios is renowned for simplifying HTTP requests and boasts over 100 million weekly downloads, making it a prime target for exploitation. The attack was confirmed as state-sponsored by the Google Threat Intelligence Group (GTIG), which identified the responsible actor as UNC1069, a financially motivated group linked to North Korea and active since at least 2018. This attribution was corroborated by ThreatBook, which utilized long-term APT tracking data to connect the attack to the Lazarus Group.
Exploitation of npm and Postinstall Hooks
The npm ecosystem is the largest software registry globally, serving as the backbone for JavaScript developers to download and install essential code libraries. A key vulnerability exploited in this attack was the postinstall hook, a script that executes automatically when a developer runs npm install. This allowed the attackers to execute malicious code silently upon installation of the compromised Axios package.
Analysis indicates that the maintainer account for the Axios package was compromised, with the email address altered to an attacker-controlled ProtonMail account. This change facilitated the use of the postinstall hook within the package.json file of the malicious dependency, triggering the execution of an obfuscated JavaScript dropper named setup.js.
Technical Details of the Malicious Payload
The dropper, identified by GTIG as SILKBELL, dynamically assesses the target system’s operating system to deliver tailored payloads. On Windows systems, it renames and copies PowerShell, downloading a PowerShell script to the user’s Temp directory. For macOS, it installs a native Mach-O binary in /Library/Caches/com.apple.act.mond, while on Linux, it drops a Python backdoor to /tmp/ld.py.
Once the payloads are successfully deployed, the dropper attempts to erase itself and revert any changes made to the package.json file, a tactic designed to eliminate forensic evidence of the attack. The platform-specific payloads deploy a backdoor tracked as WAVESHAPER.V2, which collects system information, enumerates directories, and executes additional commands while connecting to a command-and-control server at sfrclak[.]com:8000/6202033. This backdoor is an updated version of a previously used tool by UNC1069, showcasing the group’s evolving tactics.
The Impact and Scope of the Attack
Although the malicious Axios versions were removed within hours, the rapid deployment of the library across approximately 80% of cloud and code environments led to significant exposure. Observations indicated that the attack executed in 3% of affected environments. Mandiant CTO Charles Carmakal emphasized the extensive downstream risk associated with this incident, noting that stolen secrets could facilitate further software supply chain attacks, compromises in SaaS environments, and potential ransomware events.
Carmakal highlighted the awareness of hundreds of thousands of stolen credentials, indicating a diverse array of actors involved in these attacks. GTIG Chief Analyst John Hultquist remarked on the Lazarus Group’s historical expertise in supply chain attacks, particularly for cryptocurrency theft, and noted that the full extent of the incident remains unclear but is expected to have far-reaching consequences.
Huntress reported identifying approximately 135 compromised devices, although the total number affected during the critical three-hour window is still under investigation.
Recommendations for Defenders
Organizations that executed npm install between 00:21 and 03:20 UTC on March 31 should consider their environments potentially compromised. Security teams are advised to check for remote access Trojan (RAT) artifacts at specific locations: /Library/Caches/com.apple.act.mond for macOS, %PROGRAMDATA%wt.exe for Windows, and /tmp/ld.py for Linux.
Defenders should downgrade to Axios versions 1.14.0 or 0.30.3, remove plain-crypto-js from node_modules, audit CI/CD pipeline logs for the affected timeframe, rotate all credentials on systems where RAT artifacts are found, and block egress to sfrclak[.]com.
This incident serves as a critical reminder of the vulnerabilities inherent in software supply chains and the need for robust security measures to protect against sophisticated cyber threats.
Source: thecyberexpress.com
Related
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
