Axios npm Supply Chain Attack by UNC1069: Saudi Financial DevOps Alert

On March 31, 2026, Google's Threat Intelligence Group (GTIG) confirmed that North Korean state-sponsored hackers from UNC1069 successfully compromised the Axios npm package — one of the most downloaded JavaScript libraries on the planet — deploying the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux environments worldwide. For Saudi financial institutions running modern web applications or internal tooling that depends on npm packages, this attack exposes a systemic blind spot in your software supply chain that SAMA CSCC Domain 5 and NCA ECC demand you address immediately.

A Three-Hour Window That Put 100 Million+ Weekly Downloads at Risk

Between 00:21 and 03:20 UTC on March 31, 2026, attackers from UNC1069 — a financially motivated North Korea-nexus threat actor active since at least 2018 — injected a malicious dependency called "plain-crypto-js" into two Axios releases: versions 1.14.1 and 0.30.4. Axios version 1.x alone receives over 100 million weekly downloads, making this one of the highest-blast-radius supply chain attacks ever recorded on the npm registry. Despite npm removing both malicious versions within three hours, the exposure window was sufficient for automated CI/CD pipelines worldwide to pull the poisoned packages before any alert was raised.

The malicious payload deployed WAVESHAPER.V2 — an updated version of the WAVESHAPER backdoor previously attributed to UNC1069. The backdoor communicates over JSON-formatted C2 channels, exfiltrates detailed system fingerprints, and supports a full suite of remote commands including credential harvesting, persistence mechanisms, and lateral movement capabilities. Attribution was confirmed through infrastructure overlaps with prior UNC1069 campaigns and the reuse of WAVESHAPER.V2 tooling. Notably, the same threat group is also linked to the $285 million Drift Protocol DeFi hack executed on April 1, 2026 — itself traced to a six-month social engineering operation targeting developers at international industry conferences.

The Attack Vector: Social Engineering at Developer Level

The Axios maintainer publicly confirmed that the compromise was not a technical exploit of npm's infrastructure. Instead, UNC1069 ran a precisely targeted social engineering campaign against the project maintainer directly — convincing them to accept a malicious contribution or grant repository access under false pretenses. This technique mirrors DPRK's well-documented IT Worker infiltration playbook, where fabricated professional identities are built over weeks or months before the attack is executed.

This matters for Saudi financial teams because your organization's technology stack almost certainly includes open-source maintainers as an implicit, untrusted party in your software delivery chain. Unlike a vendor with a formal SLA and NDA, a single OSS maintainer targeted by a nation-state represents an uncontrolled third-party risk that does not appear on most vendor risk registers. SAMA CSCC Subdomain 3.3 (Technology Risk Management) and NCA ECC-1-5-3 (Software Security) require organizations to manage this risk explicitly — and the Axios incident demonstrates that the threat is no longer theoretical.

Why This Attack Profile Is Especially Dangerous for Saudi Financial Institutions

Saudi banks, fintechs, and capital markets firms rely heavily on Node.js and JavaScript-based microservices for API gateways, customer-facing portals, and internal tooling. Axios is a near-universal HTTP client in these environments. If your CI/CD pipeline pulled axios@1.14.1 or axios@0.30.4 between midnight and 03:30 UTC on March 31, 2026, you may have deployed WAVESHAPER.V2 into production without a single alert from your SIEM or endpoint controls.

WAVESHAPER.V2's JSON-based C2 traffic is engineered to blend with normal HTTPS API calls — a significant detection challenge for network-layer tools. In a SAMA-regulated environment where outbound traffic analysis is mandated under CSCC Domain 4 (Cyber Defense), teams must verify whether their monitoring covers JSON-over-HTTPS exfiltration patterns generated by compromised npm packages running inside container workloads or serverless functions.

Additionally, PDPL Article 29 requires notification to SDAIA within 72 hours of detecting a personal data breach. If WAVESHAPER.V2 accessed customer data — even briefly — before detection, the clock starts the moment your team becomes aware of the exposure. Financial institutions that have not yet inventoried their npm dependency tree face an immediate compliance gap that cannot wait for the next quarterly review cycle.

Recommended Actions: Immediate and Short-Term

1. Audit your dependency tree now. Run npm audit and inspect your package-lock.json or yarn.lock for references to axios@1.14.1, axios@0.30.4, or the package "plain-crypto-js". Use tools such as Snyk, Socket.dev, or GitHub Dependabot to scan transitive dependencies — Axios is frequently pulled in as a second- or third-level dependency that developers do not install explicitly.
2. Review CI/CD build logs for the exposure window. Examine all builds executed between March 31, 00:00 UTC and 03:30 UTC. Any artifact built during this window that included Axios should be treated as potentially compromised, quarantined, and rebuilt from a verified clean base image.
3. Hunt for WAVESHAPER.V2 indicators of compromise. GTIG published IOCs including the "plain-crypto-js" package hash, WAVESHAPER.V2 C2 infrastructure IP ranges, and behavioral signatures. Cross-reference these against your SIEM, EDR, and proxy logs for the relevant timeframe. Pay particular attention to outbound HTTPS connections to new or rare destinations originating from Node.js processes.
4. Implement npm package integrity controls. Enable npm ci (clean install) in all CI/CD pipelines to enforce lockfile integrity and prevent version drift. Consider adopting a private npm registry — such as Verdaccio, Artifactory, or AWS CodeArtifact — that mirrors approved package versions and gives your security team an inspection gate before packages reach your build environment.
5. Build and maintain a Software Bill of Materials (SBOM). NCA ECC-1-5-3 and evolving SAMA guidance on application security require organizations to maintain an SBOM. Tools such as Syft, Trivy, or CycloneDX can generate SBOM artifacts from existing codebases and container images within hours, providing the inventory foundation needed for rapid incident response when the next supply chain event occurs.
6. Elevate open-source library risk to your vendor risk program. Classify critical OSS libraries as third-party software suppliers and apply controls from SAMA CSCC Domain 3.3 accordingly. At minimum, monitor the GitHub repositories of top-tier dependencies for unusual commit activity, sudden ownership transfers, or new collaborator additions from recently created accounts.

Conclusion

The UNC1069 Axios attack is a watershed moment for software supply chain security across the Middle East's financial sector. Nation-state adversaries are no longer waiting at your perimeter — they are embedding themselves inside the open-source libraries your development teams trust without question. The three-hour window that GTIG documented is shorter than most SOC teams' mean-time-to-detect for supply chain threats, and that gap represents a structural control failure that SAMA and NCA will increasingly scrutinize during maturity assessments and regulatory examinations.

Financial institutions that treat this incident as a one-time patch event will miss the strategic shift underway: software supply chain security is now a board-level risk requiring dedicated tooling, engineering process change, and formal open-source library governance. The organizations that invest in these capabilities today will hold a measurable compliance and resilience advantage when SAMA's next CSCC revision formalizes supply chain requirements — which, based on current regulatory trajectory, is a matter of when, not if.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes a software supply chain security review aligned to CSCC Domain 5 and NCA ECC-1-5-3.