Sajid Mahmud

July 11, 2026 · 2 min read

Anatomy of the Massive Axios Supply Chain Attack

A deep dive into the threat vector, token bypass vector, and WAVESHAPER.V2 RAT payload that hit the Axios npm library.

Cyber-SecuritySupply-ChainNodeJS
Anatomy of the Massive Axios Supply Chain Attack

Headline: A massive supply chain attack just hit Axios. If your CI/CD pipelines ran recently, audit them immediately. 🏴‍☠️

Here is a breakdown of what happened and why it is so terrifying for the JavaScript ecosystem:

1️⃣ The Target: Axios, the massively popular HTTP client with over 100 million weekly downloads, was compromised. 2️⃣ The Compromise: A threat actor (attributed by Google to North Korea's UNC1069) hijacked the npm account of a lead Axios maintainer. 3️⃣ The Bypass: Even though Axios used modern CI/CD security like OIDC Trusted Publishing, the attackers found and used a legacy, long-lived npm access token to publish directly. This allowed them to completely bypass code reviews and GitHub Actions. 4️⃣ The Payload: They released compromised versions 1.14.1 and 0.30.4 containing a malicious phantom dependency called plain-crypto-js that dropped a cross-platform Remote Access Trojan (RAT) known as WAVESHAPER.V2.

What the RAT is capable of:

  • Cross-Platform Execution: Whether your CI/CD runner is on Linux, your local machine is a Mac, or your teammate uses Windows, it deploys custom implants tailored to the OS.
  • Silent Reconnaissance: It immediately fingerprints the machine and beacons back to the attacker's server every 60 seconds.
  • Total Remote Control: It opens a persistent backdoor, giving the attackers the ability to execute arbitrary commands directly on your infrastructure.

Exposed Data: If this script executed in your environment, you must assume the following are completely compromised:

  • .env files and local application secrets
  • Cloud provider access keys (AWS, GCP, Azure)
  • CI/CD pipeline secrets and GitHub/GitLab Personal Access Tokens
  • Database connection URIs and passwords
  • Active SSH keys

What you need to do right now: 🛑 Check your lockfiles for axios@1.14.1 or axios@0.30.4. 🛑 If you find them, assume the machine or environment is fully compromised. 🛑 Revert to a safe version like 1.14.0 or 0.30.3 and strictly pin your dependencies. 🛑 Rotate ALL credentials, API keys, and environment variables that were present on the affected machines.

#CyberSecurity #JavaScript #NodeJS #InfoSec #SupplyChainAttack #Axios #WebDevelopment #TechNews