Anatomy of the Massive Axios Supply Chain Attack
A deep dive into the threat vector, token bypass vector, and WAVESHAPER.V2 RAT payload that hit the Axios npm library.
Headline: A massive supply chain attack just hit Axios. If your CI/CD pipelines ran recently, audit them immediately. 🏴☠️
Here is a breakdown of what happened and why it is so terrifying for the JavaScript ecosystem:
1️⃣ The Target: Axios, the massively popular HTTP client with over 100 million weekly downloads, was compromised.
2️⃣ The Compromise: A threat actor (attributed by Google to North Korea's UNC1069) hijacked the npm account of a lead Axios maintainer.
3️⃣ The Bypass: Even though Axios used modern CI/CD security like OIDC Trusted Publishing, the attackers found and used a legacy, long-lived npm access token to publish directly. This allowed them to completely bypass code reviews and GitHub Actions.
4️⃣ The Payload: They released compromised versions 1.14.1 and 0.30.4 containing a malicious phantom dependency called plain-crypto-js that dropped a cross-platform Remote Access Trojan (RAT) known as WAVESHAPER.V2.
What the RAT is capable of:
- Cross-Platform Execution: Whether your CI/CD runner is on Linux, your local machine is a Mac, or your teammate uses Windows, it deploys custom implants tailored to the OS.
- Silent Reconnaissance: It immediately fingerprints the machine and beacons back to the attacker's server every 60 seconds.
- Total Remote Control: It opens a persistent backdoor, giving the attackers the ability to execute arbitrary commands directly on your infrastructure.
Exposed Data: If this script executed in your environment, you must assume the following are completely compromised:
.envfiles and local application secrets- Cloud provider access keys (AWS, GCP, Azure)
- CI/CD pipeline secrets and GitHub/GitLab Personal Access Tokens
- Database connection URIs and passwords
- Active SSH keys
What you need to do right now:
🛑 Check your lockfiles for axios@1.14.1 or axios@0.30.4.
🛑 If you find them, assume the machine or environment is fully compromised.
🛑 Revert to a safe version like 1.14.0 or 0.30.3 and strictly pin your dependencies.
🛑 Rotate ALL credentials, API keys, and environment variables that were present on the affected machines.
#CyberSecurity #JavaScript #NodeJS #InfoSec #SupplyChainAttack #Axios #WebDevelopment #TechNews