A supply chain attack inserted a malicious dependency, plain-crypto-js, into axios npm releases (1.14.1 and 0.30.4) on March 31, using a postinstall hook that executed an obfuscated dropper (tracked as SILKBELL) to deploy platform-specific payloads. Multiple threat intelligence firms (GTIG, Mandiant, ThreatBook) attributed the campaign to North Korea’s Lazarus Group/UNC1069, which deployed the WAVESHAPER.V2 backdoor contacting sfrclak[.]com, and defenders should treat any npm install run between 00:21–03:20 UTC on March 31 as potentially compromised and follow remediation steps. #LazarusGroup #WAVESHAPERV2
Keypoints
- Malicious dependency plain-crypto-js was added to axios releases 1.14.1 and 0.30.4 between 00:21–03:20 UTC on March 31.
- The attack executed via a postinstall hook that ran an obfuscated JavaScript dropper tracked as SILKBELL.
- Platform-specific payloads deployed the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux, contacting sfrclak[.]com:8000/6202033.
- GTIG, ThreatBook, and Mandiant attribute the operation to UNC1069/Lazarus Group based on payload updates and infrastructure overlap.
- Responders should check for RAT artifacts, remove plain-crypto-js, downgrade affected axios versions, audit CI/CD logs, rotate credentials, and block egress to sfrclak[.]com.
Read More: https://thecyberexpress.com/lazarus-behind-axios-npm-supply-chain-attack/