SHOW NOTES

This latest episode of Red Canary SecOps Weekly features Red Canary experts Tony Lambert and Keith McCammon discussing the recent axios npm package supply chain attack that occurred in March 2026, where North Korean threat actors (UNC1069) compromised a maintainer’s account and published malicious versions of the popular package.

The attack affected versions 1.14.1 and 0.30.4, which are downloaded millions of times weekly. The compromise began with a social engineering attack where the maintainer was tricked into installing malicious software during a fake company meeting.

The attackers injected a dependency that would download remote access trojans for Windows (PowerShell), Linux (Python), and macOS (Mach-O binary called WAVESHAPER.V2).

Red Canary detected malicious activity across all three operating systems but found no follow-on activity, suggesting the attackers may have been overwhelmed by their success. The session covers detection methods, remediation steps for affected systems, and preventive measures including package pinning, using private repositories, implementing cool-down periods, and enabling two-factor authentication for maintainers.

Timestamps:

• 00:00 – Introduction
• 01:04 – Welcome to SecOps Weekly!
• 01:58 – Anatomy of the Axios compromise
• 04:34 – A high-level look at the compromise
• 09:50 – A walkthrough of the chain
• 18:54 – What to do now
• 23:51 – What to do if you are a customer
• 28:44 – What to do if you’re the maintainer