axios-npm-waveshaper-v2-supply-chain-attack

Axios NPM poisoned with WAVESHAPER.V2 — supply chain cyber attack that could steal login info

What happened

Researchers and Google flagged trojanised Axios npm releases this week, with attackers publishing malicious package versions 1.14.1 and 0.30.4 that included a payload tracked as WAVESHAPER.V2.

Google’s Threat Intelligence Group attributed the campaign to a North Korea-linked actor it calls UNC1069, saying the updates were designed to harvest login information that could enable follow-on operations. At time of writing, the packages were identified in the npm registry and security teams have been warning developers and maintainers.

Why this matters to businesses

If your developers, CI pipelines or third-party vendors pull Axios into production, this matters now. A poisoned dependency can betray credentials, API keys and session tokens without touching your perimeter, and that’s the exact risk Google warned about with WAVESHAPER.V2.

Customers, partners and suppliers can be affected indirectly, because a single compromised build can push malicious code into many services. Expect regulatory headaches if customer data is accessed, plus downtime while dev teams chase a supply chain incident instead of roadmap work.

Also, if you still treat supplier blind spots as someone else’s problem, you’re flirting with avoidable chaos.

If you’ve got the same weakness, here’s what happens next

Given a malicious npm release, attackers can quietly exfiltrate credentials from developer machines or CI runners, replay them to access cloud consoles, and plant persistence in downstream services. Over time, that quiet persistence turns into incident response, legal calls and lost customer trust.

Once an attacker harvests login information, remediation costs spiral, because you must rotate keys, rebuild artefacts and revalidate every deployment pipeline that consumed the compromised package. It’s not flashy, it’s tedious and expensive, and it eats leadership time.

What to do on Monday morning

• Halt automated pulls of Axios and any recent npm updates, then pin dependencies to known-good versions in your lockfiles and CI.

• Search your build artefacts and container images for signs of WAVESHAPER.V2 or the trojanised versions 1.14.1 and 0.30.4, and isolate any affected images or runners.

• Rotate credentials and API keys that may have been exposed in developer machines or CI logs, and force reissue for tokens used in build pipelines.

• Block or quarantine known-malicious package versions at your internal artifact proxy or registry, and add signature or checksum verification to installs.

• Review CI runner permissions, remove excessive privileges and ensure secrets are not mounted into build environments in plain text.

• Turn up logging on package install steps and on service authentication, and keep preserved telemetry for forensic review.

• Run a supplier and third-party dependency review, including any vendors that build on your code, and notify them to check their pipelines.

Where ISO standards fit, without the sales pitch

An ISO 27001-aligned management system helps here because it forces you to map supplier risk, lock down change control and document who may publish or approve dependencies, see Synergos on ISO 27001 for a practical take on that.

When continuity and recovery matter, for example if a build chain is unusable for days, a tested business continuity plan limits the outage window, so look at proven BCMS approaches at Synergos on ISO 22301.

Baseline technical controls reduce the blast radius, such as locking dependency versions, using internal registries and running provenance checks, and you can find guidance on baseline certifications at Synergos on IASME.

Finally, developer and ops behaviour matters; targeted training that covers supply chain threats keeps people from treating npm installs as routine, and for practical user-focused programmes see Synergos usecure.

Put bluntly, ISO-style policies give you the control points to spot, contain and recover from this kind of supply chain hit, without relying on luck or heroic firefighting.

Take five minutes now to map where Axios appears in your codebase and CI, then make time this week to lock down pipelines and rotate any exposed secrets.