North Korean Hackers Poisoned Axios for 2 Hours. Every Developer Should Be Scared.

The Setup: Building a Ghost's Reputation

What makes this attack genuinely terrifying is the operational sophistication. This wasn't a smash-and-grab. Eighteen hours before the attack, the threat actors created a separate npm account and published a package called [email protected]. They took the legitimate crypto-js library, copied all 56 source files byte-for-byte, gave it a new name, and pointed its metadata at the real crypto-js GitHub repo. Version 4.2.0 was completely clean. Its only purpose was to exist — to age on the registry long enough that automated security scanners wouldn't flag it as a zero-history anomaly. They were, as the TLDDR podcast put it, building a reputation score for a ghost. [3] Then on March 31 at 23:59 UTC, they published [email protected]. This version carried the payload. Minutes later, they pushed [email protected] — then 39 minutes after that, [email protected]. Two versions to hit both modern deployments and legacy enterprise systems pinned to the 0.x branch. [1][3] The attackers didn't touch a single line of Axios's core code. The only change in the whole repository: one new line in package.json adding plain-crypto.js as a dependency. That's it.

How They Bypassed Everything

Here's the part that should concern every engineering team: the attacker didn't crack any cryptography. Axios uses GitHub Actions with npm's OIDC trusted publisher mechanism — a zero-trust model where even the maintainers don't hold publishing keys. The pipeline generates a short-lived ephemeral token that vanishes after exactly one publish event. You can't steal it. You can't reuse it. The attackers didn't need to. They hijacked npm account jasonsaayman — one of Axios's lead maintainers — and found a legacy static classic npm access token stored in a dotfile on the developer's machine. These tokens don't expire. They carry full publishing authority. And they bypass every security control the GitHub pipeline ever configured. [1][2][3] The forensic smoking gun: the malicious Axios releases show a blank gitHead field in npm registry metadata. Legitimate releases record the exact git commit hash. These versions have no corresponding commit anywhere in the Axios repo. The malicious code exists only on the registry. [3]

1.1 Seconds to Owned

The [email protected] payload used npm's postInstall lifecycle hook — a legacy feature that runs shell commands automatically when a package is downloaded. No user prompt. No permission request. Just execution. The dropper script (setup.js) employed a two-layer obfuscation using Base64 encoding and an XOR cipher to decode commands in memory at runtime — meaning the actual malicious strings never touched the hard drive. Traditional antivirus scans the file system. These never got there. In Step Security's sandbox testing, the malware made its first outbound connection to sfrclak.com:8000 just 1.1 seconds after npm install began. Before your terminal printed the next line. [3] Then it cleaned up. The dropper script deleted itself. It replaced the malicious package.json with a pre-staged clean version claiming to be version 4.2.0. If a security responder went digging afterward, they'd find 56 legitimate cryptography files and no postInstall hook. npm audit would report zero vulnerabilities. The crime scene was erased from the inside. [3] The payload itself — identified by Google Threat Intelligence as Waveshaper v2 — is a full-featured remote access trojan that beacons to the C2 server every 60 seconds with system telemetry: hostname, username, running processes, OS version, timezone. It can enumerate directories, execute arbitrary shell commands, and inject secondary payloads directly into the memory of legitimate running processes without ever writing to disk. [1][3]

Who Did This, and Why

Google Threat Intelligence Group has attributed the attack to UNC1069, a financially motivated North Korea-nexus threat group active since at least 2018. They specialize in cryptocurrency theft and DeFi infiltration. The Waveshaper malware shares architectural DNA with prior confirmed UNC1069 campaigns — same C2 polling intervals, same deceptive temp file paths, same Internet Explorer 8 user-agent string. The command-and-control IP ties back to a VPN node previously linked to the group. [1][2] The broader context: in the two weeks prior, a related group (UNC6780 / Team PCP) had compromised Trivy, KICS, and several Python package index libraries — tools designed to harvest cloud credentials, SSH keys, and CI/CD secrets. The SANS Institute's analysis suggests these operations may be linked through an initial access broker economy: one group steals developer credentials and sells access, another deploys the RAT and monetizes the foothold. [3] The Axios attack wasn't a lucky shot. It was the downstream result of a coordinated infrastructure operation.

What You Should Do Right Now

If you manage JavaScript projects, here's the short version from the forensics teams: Audit your lockfiles — search package-lock.json, yarn.lock, and pnpm-lock.yaml for [email protected], [email protected], or any mention of plain-crypto.js. That string in your lockfile means your environment pulled the payload. Hunt for artifacts — on macOS: ~/Library/Caches/com.apple.act.mmon; on Windows: %PROGRAMDATA%\wad.exe; on Linux: /tmp/d.py. Check outbound connections — look for traffic to sfrclak.com or 142.11.206.73 on port 8000. If you were affected, rotate everything — cloud keys, npm tokens, SSH keys, database credentials. The 1.1-second window means the keys were gone before you knew anything happened. You cannot clean the machine; wipe it and rebuild. [1][3]

The Bigger Question

The Byte-Size podcast ended with a question worth sitting with: if a package with 100 million weekly downloads can be weaponized with a single line change in a manifest file, is the open source dependency model fundamentally broken? Probably not broken, but clearly stressed. The vector here — a forgotten legacy token bypassing a cryptographically hardened CI/CD pipeline — is embarrassingly simple. Organizations spend weeks auditing their own code and ignore the 200-to-2,100 unknown developers their average npm project implicitly trusts with code execution. The Axios attack was caught in 2–3 hours. Most campaigns aren't this visible. The Waveshaper RAT was still beaconing, still waiting for commands, on over 100 confirmed devices when Huntress published its report. [2] npm install. Two words. One very long morning.