How to Detect and Mitigate North Korea-Nexus Supply Chain Attacks on NPM Packages: A Step-by-Step Guide

Step 1: Understand the Attack Vector – Account Compromise and Email Change

The attack began with the compromise of the legitimate axios maintainer account. Evidence shows the associated email was changed to an attacker-controlled address (ifstap@proton.me) hours before the malicious release. Action: Review contributor accounts for packages you maintain. Ensure all maintainers use multi-factor authentication (MFA) and monitor for unexpected email changes or suspicious activity in package registries. Use NPM's 2FA enforcement for package publishing.

Step 2: Identify Malicious Dependencies in Your Project

The attacker inserted plain-crypto-js version 4.2.1 as a dependency in axios v1.14.1 and v0.30.4. Check your package-lock.json or yarn.lock for any references to plain-crypto-js or similar unusual packages. Look for dependencies that have no real project, no GitHub stars, or newly created accounts. Tools like npm audit or Snyk can flag known malicious packages. Run npm ls to review all installed dependencies and compare against known good versions.

Step 3: Inspect package.json for Postinstall Hooks

The malicious dependency's package.json contained a postinstall script that executed setup.js silently upon installation. Audit all package.json files (including those in node_modules) for suspicious postinstall, preinstall, or scripts entries. Look for encoded or obfuscated commands. In axios's case, the legitimate package.json was reverted after execution to hide the trail. Use static analysis tools to detect obfuscated script tags.

Step 4: Analyze Obfuscated Droppers – SILKBELL

The setup.js payload (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09) used custom XOR and Base64 obfuscation to hide the C2 URL and OS-specific commands. Decode the script by reversing the XOR key and Base64 layers. Use a sandbox or dynamic analysis to observe execution. Look for the use of os.platform() and dynamic loading of fs, os, and child_process. The dropper then deletes itself – monitor file system activity for self-deleting scripts.

Step 5: Detect OS-Specific Payloads – WAVESHAPER.V2

The dropper delivered WAVESHAPER.V2, a backdoor previously linked to UNC1069. On Windows: Look for execution of cmd.exe or powershell with encoded commands. On macOS/Linux: watch for shell scripts downloading remote executables. Indicators: Check for unusual outbound connections to IPs or domains associated with previous UNC1069 campaigns (cross-reference with threat intel). The backdoor may persist via registry keys or cron jobs.

Step 6: Monitor Command-and-Control Communications

The dropper contacts a C2 server (URL hidden in obfuscated code). Set up network monitoring to detect beaconing behavior – periodic SSL/TLS connections to unknown hosts, especially on non-standard ports. Extract the C2 domain/ip from the decoded script and add it to your blocklist. Use DNS logs to identify queries to suspicious domains.

Step 7: Remediate – Remove Malicious Packages and Rotate Credentials

If you find evidence of compromised axios versions in your environment: Immediately remove those package versions from package-lock.json and force reinstall with npm clean-install after rolling back to a trusted version. Rotate any API keys, tokens, or secrets that may have been exposed on compromised machines. Isolate affected systems and run full antivirus scans. Report the incident to your security team and to NPM.

Step 8: Implement Preventive Measures

• Enable 2FA on all package maintainer accounts.
• Use package pinning – specify exact versions in package.json and verify integrity via SHA hashes in lock files.
• Deploy Software Composition Analysis (SCA) tools to continuously monitor dependencies.
• Audit postinstall scripts in dependencies using automated checks (e.g., npm lockdown).
• Maintain up-to-date threat intelligence feeds to catch emerging indicators.