Axios npm Supply Chain Attack: 83M Downloads Compromised via Cross-Platform RAT (March 31, 2026)

⚠️ Active Incident — March 31, 2026. If you ran npm install or npm update between March 30 evening UTC and March 31, check your systems now. See remediation steps below.

🔄 Developing Story — Attribution now resolved: Google GTIG has formally attributed this attack to UNC1069 (also tracked as Sapphire Sleet by Microsoft), a North Korea-nexus threat actor linked to BlueNoroff/Lazarus Group. The attack is confirmed unrelated to the concurrent TeamPCP campaign. Malicious versions have been taken down by npm. Full scope of affected organizations is still being assessed. This article will be updated as new information becomes available. Last updated: April 2, 2026 16:00 UTC.

Updates

2026-04-02 16:00 UTC — Google GTIG Publishes Full UNC1069 Expanded Capability Report: SILENCELIFT, DEEPBREATH, CHROMEPUSH; AI Deepfake Zoom Lures; Community Dependency-Safety Reckoning

Google Threat Intelligence Group / Mandiant published a full expanded-capability report on UNC1069 based on a recent incident response engagement against a FinTech entity in the cryptocurrency sector. This report is not directly about the axios attack but provides critical threat actor context: it documents UNC1069’s current tooling, social engineering, and AI-enabled capabilities in live operations contemporaneous with the axios supply chain attack. Three new malware families are formally named for the first time.

• Three new UNC1069 malware families named: GTIG/Mandiant formally names three new tools deployed in UNC1069’s latest operations — SILENCELIFT, DEEPBREATH, and CHROMEPUSH — alongside the previously documented downloader SUGARLOADER. All four were deployed on a single compromised host, indicating a highly automated, multi-tool intrusion capability. While SILKBELL and WAVESHAPER.V2 (used in the axios attack) are distinct from these, the report confirms UNC1069 operates a broad and actively expanding malware arsenal — not a one-tool threat actor.

• AI-generated deepfake Zoom lures confirmed in live operations. The Mandiant IR engagement documents a victim being presented with a deepfake video of a cryptocurrency company CEO during a fake Zoom meeting hosted at threat actor-controlled infrastructure (zoom[.]uswe05[.]us). A “technical audio issue” ruse was then used to execute a ClickFix attack — the victim was prompted to run “troubleshooting” commands that initiated the infection chain. The commands included a disguised curl | zsh call to an attacker C2 (mylingocoin[.]com). This is the same ClickFix technique mentioned in SANS briefings as a candidate for how initial access to jasonsaayman or related accounts may have been established.

• UNC1069 actively uses Gemini for tooling development and operational research. GTIG confirms UNC1069 uses Google Gemini to assist with tool development, reconnaissance, and operational research — corroborating SANS’ earlier speculation about AI-assisted multi-platform payload generation (the simultaneous macOS/Windows/Linux builds observed in the axios attack). Kaspersky separately notes the BlueNoroff overlap cluster also uses GPT-4o for image manipulation in lure generation.

• Infection chain details (ClickFix → macOS): The published IR commands mirror the axios dropper tradecraft exactly: system_profiler as camouflage, softwareupdate as a plausible cover command, then a curl | zsh payload delivery. The C2 domain uses an innocuous-looking name (mylingocoin[.]com). The axios sfrclak.com domain follows the same naming pattern — arbitrary-looking, not keyword-obvious.

• No new IOCs for the axios attack specifically. The GTIG UNC1069 report covers a separate intrusion. IOCs for the axios attack remain unchanged: sfrclak.com, callnrwise.com, 142.11.206.73:8000. New IOCs from the FinTech IR engagement (SILENCELIFT/DEEPBREATH/CHROMEPUSH) are relevant for threat hunting UNC1069 broadly, not for axios remediation specifically.

• Community dependency-safety reckoning intensifies. The community response documented in the days since the axios attack has coalesced into a concrete set of arguments:

  • Andrej Karpathy publicly disclosed a near-miss: a googleworkspace/cli tool he’d installed days earlier resolved to unaffected [email protected], but if he’d run npm install hours later, he would have been compromised. He called for package managers to change defaults so that a single compromised transitive dependency cannot spread at random through unpinned ranges.
  • InfoQ, Hacker News, and community discourse converged on two practical posture changes: (1) setting ignore-scripts=true in ~/.npmrc as a default would have blocked this entire attack class; (2) Bun and pnpm do not run install scripts by default — npm’s “opt-out” model for lifecycle scripts is now being actively contrasted against these alternatives.
  • The absence of a CVE for this specific attack (the axios npm compromise / SILKBELL/WAVESHAPER.V2 chain) continues to frustrate enterprise patch management workflows. Teams relying on CVE-based scanning remain potentially exposed without manual verification.

• jasonsaayman post-mortem: still none published. As of 16:00 UTC April 2, no formal post-mortem from the axios maintainer has been published. The GitHub issue (#10604) remains the only official acknowledgment. The npm registry shows the compromised versions deprecated, with latest pinned at 1.14.0.

• No arrests, sanctions, or law enforcement action. No indictments, infrastructure takedowns, or diplomatic action related to UNC1069/Sapphire Sleet has been announced. The threat actor remains active.

2026-04-02 13:00 UTC — Microsoft Formally Attributes to “Sapphire Sleet”; Additional SHA-256 Hashes Published; Windows Persistence Registry Key Specified

Microsoft Threat Intelligence published a comprehensive mitigation blog on April 1 formally attributing the axios attack to Sapphire Sleet — Microsoft’s tracking name for the North Korean state actor Google GTIG tracks as UNC1069. This is the second major vendor to formally name the actor, now with two independent attributions (Google GTIG: UNC1069; Microsoft: Sapphire Sleet) pointing to the same North Korea-nexus threat group. No materially new IOCs emerged, but several technical details in the Microsoft report add depth to the existing picture.

• Microsoft attribution: Sapphire Sleet. Microsoft’s blog confirms the same infrastructure (Hostwinds AS54290, sfrclak.com, 142.11.206.73:8000) is operated by Sapphire Sleet, a North Korean state actor active since at least March 2020, focused on finance, cryptocurrency, venture capital, and blockchain organizations. The plain-crypto-js publisher account ([email protected]) has been disabled by Microsoft. Sapphire Sleet and UNC1069 are two vendor-specific names for the same threat actor.

• New SHA-256 hashes published by Microsoft:

  • macOS binary (/Library/Caches/com.apple.act.mond): 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
  • Windows PowerShell RAT (6202033.ps1): ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c and 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
  • Windows stage (%PROGRAMDATA%\wt.exe): f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
  • Linux Python RAT (/tmp/ld.py): fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf Add all five hashes to your threat intel platform and EDR blocklists.

• Windows persistence registry key specified: Microsoft confirms the Windows RAT establishes persistence via HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate (registry run key, value MicrosoftUpdate) pointing to %PROGRAMDATA%\system.bat. This is in addition to the %PROGRAMDATA%\wt.exe binary — incident responders must check and remove both the registry key and the batch file, not just terminate the running process.

• Auto-update hook warning. Microsoft’s blog specifically warns that the malicious payload includes a hook that will continue to attempt to update — implying remediated hosts that still have stale npm config pointing at affected version ranges could be re-infected on next npm update. Explicitly pin axios to 1.14.0 or 0.30.3 in package.json (not just ^1.14.0) and run npm install --package-lock-only to re-lock.

• No jasonsaayman post-mortem yet. As of this update, the axios maintainer has still not published a formal post-mortem or public statement beyond the Cybernews quote. Account recovery appears ongoing.

• No new arrests or law enforcement action. No indictments, sanctions, or takedowns of UNC1069/Sapphire Sleet infrastructure have been announced as of April 2, 2026.

2026-04-01 19:00 UTC — SANS Post-Briefing: ~600K Installs Estimated; TeamPCP May Have Sold Access to UNC1069; Credential Fallout Warned to Last “Months and Beyond”; CSA + Tenable Advisories Published

The SANS emergency briefing recap blog and post-session analysis from Faculty Fellow Joshua Wright and President Ed Skoudis introduces several significant new details not in prior reporting. The briefing was filmed live at SANS 2026 Orlando during the lunch break while the incident was still unfolding.

• ~600,000 estimated installs during the exposure window. SANS estimates approximately 600,000 npm installs occurred between 00:00 and ~03:15 UTC on March 31 — the full window when malicious axios versions were live. This is the first concrete quantification of install volume during the attack window, and places the scale of potential infections significantly higher than prior reports implied from the “3% of Wiz-monitored environments” figure alone.

• TeamPCP monetization theory: access broker hypothesis. Josh Wright introduced a working hypothesis that TeamPCP may be functioning as an access broker — acquiring initial access to developer toolchain infrastructure and then selling that access to other threat groups, including UNC1069/DPRK-affiliated actors. Under this theory, the attribution overlap between TeamPCP and UNC1069 isn’t a contradiction: TeamPCP established the developer ecosystem foothold (via Trivy, LiteLLM, etc.), then sold or transferred access to UNC1069, who deployed SILKBELL/WAVESHAPER.V2 against axios. This is not confirmed, but if true it represents a significant evolution in how supply chain attacks are operationalized — from single-actor campaigns to a multi-tier criminal-to-nation-state access marketplace.

• AI-enabled automation speculation for multi-platform delivery. Wright flagged the speed and operational tempo of the multi-platform payload delivery (simultaneous macOS C++, Windows PowerShell, Linux Python builds) as consistent with AI-assisted tooling automation. While explicitly not confirmed, the inference is that no small manual team could coordinate this at the observed tempo — suggesting the attackers may be using automated payload generation or scaffolding.

• Ed Skoudis: “This attack has long-term legs — months and beyond.” SANS President Ed Skoudis delivered a stark long-term warning: the axios compromise itself was the opening move. The stolen credentials — GitHub PATs, AWS keys, Azure tokens, npm tokens, SSH keys — give attackers access to downstream systems that haven’t been discovered yet. Quote: “The attackers, if they are smart, will go quiet now and then sometime later surprise us when they show that they have access to other packages through this attack we didn’t know that they nabbed.” Incident response teams should plan for credential-based follow-on intrusions extending months beyond today’s remediation window.

• No new IOCs from briefing. SANS confirmed no additional C2 domains or payload hashes emerged from the briefing session. IOC set remains: sfrclak.com, callnrwise.com, 142.11.206.73:8000. SANS noted they will publish additional confirmed IOCs on the SANS blog as they emerge.

• New sources published: Tenable advisory and CSA research note (PDF) both published on April 1. CSA notes this attack is consistent with prior North Korean-affiliated npm registry abuse patterns targeting developer build environments for high-value secrets. SOCRadar published a CISO-focused guide. No materially new technical findings in any of these beyond GTIG/Elastic.

• jasonsaayman post-mortem: still no formal statement. As of 19:00 UTC, no official post-mortem from the axios maintainer has been published. Account recovery appears still ongoing.

2026-04-01 16:00 UTC — Google GTIG Formal Attribution: UNC1069 (North Korea/BlueNoroff); Malware Officially Named SILKBELL + WAVESHAPER.V2; Axios Attack Confirmed Separate from TeamPCP

Google Threat Intelligence Group has published a comprehensive attribution report formally attributing the axios supply chain attack to UNC1069 — a North Korea-nexus, financially motivated threat actor active since at least 2018. This is the highest-confidence public attribution to date and comes from the vendor with the most complete view of the infrastructure. The report also explicitly separates this attack from the concurrent TeamPCP campaign, resolving what had been a contested dual-attribution picture since yesterday.

• GTIG attribution: UNC1069 (North Korea-nexus, BlueNoroff-linked). Google attributes this activity to UNC1069 based on: (1) the use of WAVESHAPER.V2, an updated version of a backdoor previously documented in BlueNoroff’s RustBucket operations; (2) infrastructure overlaps between axios C2 servers and infrastructure used by UNC1069 in past campaigns; (3) the macOS RAT’s internal project codename macWebT mapping directly to BlueNoroff’s documented webT module. UNC1069 specializes in financially-motivated intrusions targeting cryptocurrency platforms, AI companies, and developer toolchains.

• Axios attack is NOT part of TeamPCP. GTIG explicitly states this is an unrelated incident: “GTIG is investigating the axios supply chain attack, an incident unrelated to the recent TeamPCP supply chain issues.” The earlier period of contested attribution (TeamPCP vs. BlueNoroff) is now resolved — these are two simultaneous but independent supply chain campaigns.

• Official malware names now assigned:

  • SILKBELL — the obfuscated postinstall dropper (setup.js) inside [email protected]. SILKBELL performs OS detection, contacts C2, downloads the platform-specific payload, and self-destructs.
  • WAVESHAPER.V2 — the cross-platform RAT deployed by SILKBELL. An updated version of WAVESHAPER previously observed in BlueNoroff RustBucket campaigns. C++ on macOS, PowerShell on Windows, Python on Linux — all implementations of the same backdoor specification.

• Compromise vector identified: long-lived npm access token. Multiple sources (Picus Security, cybersecsentinel) report the maintainer account was compromised via a stolen long-lived classic npm access token — not a password breach. Classic npm tokens (generated pre-2022) do not require 2FA confirmation and do not expire by default. This explains why the attacker bypassed 2FA: they never needed to authenticate interactively. npm’s legacy token model is the systemic vulnerability exploited here.

• peinject bypasses macOS Gatekeeper. GTIG confirms that the peinject command on macOS performs ad-hoc code signing on dropped binaries before execution — allowing attacker-supplied payloads to bypass Gatekeeper’s unsigned binary restrictions. This is a higher-capability technique than previously understood and means post-exploitation payloads can execute on macOS without user approval prompts.

• Confirmed scope from Wiz research: Wiz reports axios is present in approximately 80% of cloud and code environments they monitor. Observed execution of the malicious package occurred in 3% of affected environments — translating to potentially tens of thousands of confirmed infections given download volume.

• 15-second infection time. OpenSourceMalware analysis confirms the full infection chain — from npm install trigger to persistent RAT implanted and dropper self-erased — takes approximately 15 seconds. Developers who ran install in a terminal and walked away would have no indication anything happened.

• No arrests or law enforcement action reported. As of this update, no arrests, sanctions, or indictments related to this attack have been announced. The UNC1069 infrastructure remains active (though C2 domains are blocked at npm level).

• StepSecurity town hall (10 AM PT / 18:00 UTC today): The community briefing is live as of this update. No significant new technical disclosures have emerged post-briefing beyond what GTIG published.

2026-04-01 13:00 UTC — Elastic Security Labs Full RAT Analysis Published; Dropper Obfuscation Keys Revealed; Windows Persistence Survives Kill Command

Elastic Security Labs has published a comprehensive deep-dive — Inside the Axios supply chain compromise: one RAT to rule them all — covering the full attack chain from npm compromise through dropper mechanics to stage-2 RAT architecture. This is the most technically complete public analysis to date. Key additions not previously reported:

• Dropper obfuscation fully decoded. The two-layer encoding scheme in setup.js is now confirmed: Layer 1 = string reversal + Base64 decode; Layer 2 = XOR cipher using key OrDeR_7077 with position-dependent index 7 * i² % 10. All critical strings — URLs, module names, shell commands — are stored in an encoded array stq[] and decoded at runtime. Prior reporting described this as “XOR + base64” without specifying the string reversal or the exact key.

• Stage-2 implementation languages confirmed per platform:

  • macOS: Compiled C++ binary (dropped to /Library/Caches/com.apple.act.mond)
  • Windows: PowerShell script (executed via renamed wt.exe; transient .ps1 at %TEMP%\6202033.ps1)
  • Linux: Python script (executed at /tmp/ld.py) All three are implementations of the same RAT specification — identical C2 protocol, command set, beacon cadence, and spoofed IE8 User-Agent — strongly indicating a single developer or tightly coordinated team working from a shared design document.

• Windows persistence survives the RAT’s own kill command. The Windows stage-2 installs a registry key + batch file for persistence. Critically, when the attacker issues a kill command (which sends an rsp_kill acknowledgment and exits the RAT process), Windows persistence artifacts are not removed. The macOS and Linux variants have no persistence mechanism of their own — Windows hosts remain at higher reinfection risk after a kill. Incident responders must explicitly remove the registry key and batch file on Windows, not just terminate the process.

• macOS command execution via AppleScript. The runscript command on macOS executes operator-supplied code via /usr/bin/osascript (AppleScript) — the same runtime used for the initial payload delivery. This is consistent with avoiding PowerShell/bash invocations that might trigger EDR alerts.

• rundir command confirmed for directory listing/exfiltration. The fourth RAT command (rundir) lists the contents of a specified directory and sends results to C2. This is used for targeted reconnaissance after initial access — the attacker maps victim filesystems before deciding what to steal.

• Elastic filed GitHub Security Advisory at 01:50 AM UTC March 31. This coordinated disclosure to the axios repository was a key trigger for the npm takedown response.

• StepSecurity community town hall happening today. The briefing on this incident is live at 10:00 AM PT / 18:00 UTC today (April 1). Register here. Expect additional IOCs, detection guidance, and Q&A. This article will be updated post-briefing if significant new information is disclosed.

2026-03-31 19:00 UTC — BlueNoroff/Lazarus Attribution Contested; Full RE Analysis Published; Second C2 Domain Discovered; Microsoft Detection Created

An independent reverse engineering analysis published as a GitHub Gist (researcher: N3mes1s) provides the most detailed technical breakdown of the axios RAT to date — and introduces a competing attribution claim that the security community will need to assess carefully.

• Competing attribution: BlueNoroff/Lazarus Group (HIGH confidence). Researcher N3mes1s assessed HIGH confidence attribution to BlueNoroff (a Lazarus Group sub-cluster known for financially-motivated attacks on developers and crypto). The primary evidence:

  • The macOS RAT’s internal project codename is macWebT — directly linking it to BlueNoroff’s documented RustBucket webT module from 2023 (same User-Agent string, same 60-second beacon interval, same Hostwinds AS54290 infrastructure ASN)
  • 9 confirmed Lazarus IPs on the same ASN (AS54290/Hostwinds) as the axios C2
  • macOS RAT classified as NukeSped — a Lazarus-exclusive malware family
  • Build path recovered from binary: /Users/carey/Dev/MAC_DATA/MAC/Trojan/webT/ta
  • Note: TeamPCP attribution (confirmed by SANS, Huntress, Phoenix Security, et al.) remains the majority vendor assessment. It is possible TeamPCP leveraged BlueNoroff tooling, or these are two distinct analytic framings of the same infrastructure. The conflict is unresolved.

• Second C2 domain discovered: callnrwise.com. Infrastructure pivoting via VirusTotal domain resolutions identified a second C2 domain resolving to the same IP (142.11.206.73). The domain name references the attacker’s npm account (nrwise). Add to your blocklists immediately.

• Microsoft created dedicated detection family: Backdoor:Mac/Axios.A. Microsoft Defender now detects the macOS RAT under this family name. Windows detection coverage also improved: the Windows Stage 2 payload went from 12/76 to 17/76 detections on VirusTotal. Linux RAT remains at 2/76 detections.

• Linux RAT’s peinject command is broken. The Linux peinject capability — designed for process injection — crashes at runtime due to an undefined variable (b64_string) at line 156 of the payload. The Linux RAT is functional for credential theft and C2 beaconing, but process injection does not work on Linux hosts.

• Novel .NET injection DLL identified: Extension.SubRoutine.Run2(). The Windows payload uses an undocumented .NET process injection DLL with zero public references. Closest behavioral match in public research is BlueCrab/REvil’s [Mode]::Setup(). Live validation confirmed on a Daytona Windows Server 2022 sandbox: Run2() invoked with cmd.exe as target.

• Full payload hashes now available (18 SHA256). Machine-readable IOC bundle published: axios_iocs_machine_readable.json. Import into your threat intel platform.

• Detection rules now available (YARA/Sigma/Suricata): 8 YARA rules (100% detection rate across all 5 samples), 8 Sigma rules for Windows/macOS/Linux, 11 Suricata/Snort IDS rules including Base64 beacon pattern matching. Published in the same Gist. Highly recommended for immediate deployment.

• jasonsaayman note via Cybernews: The axios maintainer stated he is unaware of the exact method by which his account was compromised — “I’m trying to get support to understand how this even happened.” No formal maintainer statement published yet; account recovery still in progress.

• TeamPCP also tracked as: DeadCatx3, PCPcat, ShellForce, CanisterWorm (per GitHub/ugurrates IOC repo tracking CVE-2026-33634).

• New IOC summary (add to blocklists):

  • Domain: callnrwise.com ← NEW
  • Domain: sfrclak.com (previously known)
  • IP: 142.11.206.73:8000 (both domains resolve here)
  • URL pattern: http://sfrclak.com:8000/6202033
  • Windows artifacts: %TEMP%\6202033.vbs, %TEMP%\6202033.ps1
  • macOS artifact: /Library/Caches/com.apple.act.mond
  • Linux artifact: /tmp/ld.py

2026-03-31 16:00 UTC — Attribution: TeamPCP Confirmed; Huntress Observes 100+ Compromised Devices

This is the most significant update since the incident broke. The axios attack has been formally attributed to TeamPCP — a multi-ecosystem, state-linked threat actor group responsible for a sustained supply chain campaign that started weeks before the axios compromise.

• Attribution confirmed: TeamPCP. SANS, Huntress, Phoenix Security, Field Effect, and SafeDep have independently assessed this attack as part of the broader TeamPCP supply chain campaign active since at least March 1, 2026. The axios npm compromise is the latest and largest-scale operation in a series of coordinated attacks.

• The attack chain predates axios by weeks. TeamPCP’s campaign timeline:

  • Mar 1, 2026: Initial breach of Aqua Security’s service account (aqua-bot) — this was the root credential that cascaded everything.
  • Mar 19: Malicious tag v0.69.4 force-pushed to Trivy (Aqua’s vulnerability scanner, 76 of 77 GitHub Actions tags poisoned). Credential stealers harvested CI/CD runner secrets at scale.
  • Mar 20: Stolen npm tokens weaponized a self-propagating worm (CanisterWorm) that infected 66+ npm packages across multiple organizations — without further attacker intervention.
  • Mar 22: Malicious Docker images pushed; 44 Aqua Security repositories defaced. An Iran-targeted wiper component discovered in payloads.
  • Mar 23: Checkmarx KICS and AST GitHub Actions hijacked. Malicious VS Code/OpenVSX extensions published.
  • Mar 24: LiteLLM compromised on PyPI (using credentials stolen from a Trivy scan), affecting ~95M monthly downloads and giving attackers keys to AI infrastructure across 36% of monitored cloud environments.
  • Mar 27: Telnyx communications library compromised on PyPI.
  • Mar 31 (today): axios compromised on npm — the campaign’s largest target by download volume.

• Blockchain C2 — a world first. TeamPCP used an Internet Computer Protocol (ICP) canister as a dead-drop C2 mechanism — the first documented abuse of decentralized blockchain infrastructure for threat actor command and control. Traditional domain takedowns are ineffective against this component.

• Self-propagating worm capability. Stolen npm tokens were automatically used to infect victim-maintained packages, creating new upstream compromises without attacker intervention. Supply chain risk is now exponential, not single-hop.

• Shared RSA-4096 public key across all payloads (strongest attribution link): The same RSA-4096 public key appears in LiteLLM 1.82.8, Telnyx 4.87.1/4.87.2, and the axios RAT payloads — cryptographically linking all these attacks to a single threat actor infrastructure.

• Extortion escalation confirmed. As of ~March 25, TeamPCP pivoted from credential theft to active extortion, reportedly working through ~300 GB of compressed stolen credentials and collaborating with the LAPSUS$ extortion group to target multi-billion-dollar companies. Mandiant estimates 1,000+ SaaS environments impacted, with projections of 5,000–10,000.

• Threat actor fingerprinting. TeamPCP embedded song titles in C2 infrastructure and payloads (Mattafix “Big City Life”, Dido “Thank You”, Queen “The Show Must Go On”, Eduard Khil “Mr. Trololo”). This may be deliberate OPSEC provocation or an identifier.

• DarkSeek3r / octocommit: A GitHub user DarkSeek3r (ID 266895321, created Mar 10, 2026) forked aquasecurity/trivy and actions/checkout before the attack — and later renamed their account to octocommit. This account remains active and is a person of interest in the investigation.

• Affected device count (Huntress): Huntress has observed over 100 affected devices with confirmed infection artifacts from the axios compromise as of this reporting window.

• New Windows IOCs (SANS): Additional Windows-specific artifacts identified: %TEMP%\6202033.vbs and %TEMP%\6202033.ps1 — the campaign identifier (6202033) appears as both the C2 URL path and temp file names. Add these to your detection queries.

• C2 callbacks masquerade as npm traffic. The RAT’s exfiltration callbacks are disguised as legitimate npm package requests: packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux). These will bypass naive npm-allowlist rules. Block on URL pattern, not just the domain.

• Formal CVE assigned to broader TeamPCP campaign: The TeamPCP Trivy/KICS/LiteLLM campaign wave is tracked as CVE-2026-33634 (CVSS 9.4). The axios-specific npm compromise remains without a CVE — traditional CVE-based scanners still will not flag it.

• Community town hall tomorrow: StepSecurity is hosting a community briefing on April 1, 2026 at 10:00 AM PT — register here.

2026-03-31 13:00 UTC — 6-hour update

• npm takedown confirmed complete. [email protected] and [email protected] were removed from the registry at approximately 03:15 UTC (inferred from npm registry metadata). plain-crypto-js received a security hold at 03:25 UTC and was replaced by a security-holder stub ([email protected]) at 04:26 UTC. Total exposure window: ~3 hours 19 minutes for axios versions; ~4 hours 27 minutes for [email protected].
• New IOC — C2 IP confirmed: The C2 resolves to 142.11.206.73 on port 8000. The full dropper callback URL is http://sfrclak.com:8000/6202033 — the path segment 6202033 is a hardcoded campaign identifier embedded in the obfuscated dropper. Block the IP, not just the domain.
• RAT capabilities now fully documented (see updated section below): macOS RAT supports 4 attacker commands (peinject, runscript, rundir, kill), beacons every 60 seconds using a fake IE8/Windows XP User-Agent, and generates a unique 16-character victim ID. The RAT encrypts stolen data with AES-256-CBC + RSA-4096 before exfiltration. Targeted credential sweep includes SSH keys, AWS/GCP/Azure tokens, Kubernetes configs, .env files, shell history, and crypto wallets.
• Additional compromised packages found: Snyk identified at least two other npm packages that shipped malicious [email protected] as a dependency: @qqbrowser/[email protected] (Snyk advisory SNYK-JS-QQBROWSEROPENCLAWQBOT-15850776) and @shadanai/openclaw-... — check your full dependency tree, not just direct axios references.
• Snyk advisories assigned: SNYK-JS-AXIOS-15850650 and SNYK-JS-PLAINCRYPTOJS-15850652. Note: no CVE has been assigned — traditional CVE-based scanners will not flag this attack.
• Attribution assessment: Phoenix Security assesses an espionage or APT motive based on the RAT’s capabilities and the conspicuous absence of ransomware or crypto-mining payloads. No link to a known named threat actor confirmed.
• Backstage confirmed affected/detected: StepSecurity Harden-Runner flagged the C2 callback in a Backstage repository CI run. The Backstage team confirmed the workflow was sandboxed and the project was not impacted, but the detection confirms real-world propagation.
• Community briefing: StepSecurity is hosting a town hall on April 1, 2026 at 10:00 AM PT — register here.

Axios — the most widely used HTTP client in the JavaScript ecosystem with 100 million weekly downloads — was compromised today in one of the most sophisticated supply chain attacks ever documented on a top-10 npm package. The attack leveraged a hijacked maintainer account, 18-hour pre-staging, and self-erasing malware to deploy a cross-platform Remote Access Trojan (RAT) on developer machines and CI/CD systems worldwide.

What Is Axios?

Axios is the de-facto HTTP client for JavaScript. It ships in virtually every Node.js backend, React and Vue frontend, Electron app, CI/CD pipeline, and automation script that makes HTTP requests. Its ubiquity is exactly why this attack matters — developers don’t think twice before running npm install axios. It’s infrastructure-level trust.

With over 300 million all-time downloads and 83 million weekly installs, a window of even a few hours in a malicious minor release translates to potentially hundreds of thousands of compromised machines.

What Happened

The Maintainer Account Hijack

The attacker compromised the npm account of jasonsaayman — the lead axios maintainer. The attack vector isn’t publicly confirmed yet, but the attacker’s first move was changing the account’s registered email to [email protected] — an anonymous ProtonMail address — effectively locking out the legitimate owner from recovery.

With credentials in hand, the attacker bypassed axios’s GitHub Actions CI/CD pipeline entirely. The project uses cryptographic OIDC verification to ensure package integrity through its normal release workflow. The attacker simply ignored it — publishing directly via the npm CLI without touching GitHub at all. No commits. No tags. No pull requests.

This is the key insight: CI/CD security doesn’t help if an attacker has valid npm credentials. The pipeline was secure. The credential was not.

The 18-Hour Pre-Staging Operation

This wasn’t improvised. The attack was pre-staged over roughly 18 hours before the axios compromise:

The 4.2.0 decoy version was published almost 18 hours earlier specifically to build npm publishing history and avoid “brand-new package” alarms from security scanners like Socket and Snyk. By the time the malicious 4.2.1 landed, the package looked like a legitimate project with a version history.

Both axios branches were hit within 39 minutes — modern 1.x and legacy 0.x — maximizing coverage across the entire axios user base.

Socket detected the attack within 6 minutes of publication. But the npm distribution network had already begun propagating the package.

How the Malware Works

Injection Mechanism

Neither [email protected] nor [email protected] contains a single line of malicious code inside axios itself. There’s nothing to find in the axios source. Instead, both versions add [email protected] as a runtime dependency — a package that is never imported anywhere in the axios codebase.

Its only purpose is to trigger npm’s postinstall lifecycle hook: "postinstall": "node setup.js". The moment you run npm install, setup.js executes at your current privilege level. If you ran sudo npm install, the malware had root.

The Dropper

The setup.js dropper uses two-layer obfuscation — XOR cipher plus base64 encoding — to hide C2 addresses and payload strings from static analysis. At runtime it:

1. Detects the operating system
2. Contacts the C2 server at sfrclak.com:8000
3. Downloads a platform-specific second-stage payload
4. Establishes persistence
5. Self-destructs — deletes setup.js, replaces package.json with a clean stub

Platform-Specific Payloads

Each OS got a tailored infection path designed to blend in:

macOS:

• RAT dropped to /Library/Caches/com.apple.act.mond
• Path mimics Apple’s legitimate system cache naming conventions

Windows:

• Payload written to %PROGRAMDATA%\wt.exe
• Filename spoofs Windows Terminal (wt.exe)

Linux:

• Python dropper executed at /tmp/ld.py via nohup
• Background persistence via nohup ensures the dropper survives terminal closure

The Forensic Blind Spot

After the dropper executes and self-destructs, a developer inspecting node_modules post-infection finds nothing suspicious. The plain-crypto-js directory looks clean — the malicious package.json has been replaced with a legitimate-looking stub. Standard post-infection forensics come up empty.

This is what makes the attack particularly dangerous. By the time you find out you installed the bad version, you have no local evidence of what ran.

Who Is Affected

You are potentially affected if:

• You ran npm install, npm update, or npm ci between ~Mar 30 23:59 UTC and Mar 31 afternoon UTC
• Your package-lock.json or yarn.lock resolves to [email protected] or [email protected]
• Your CI/CD pipeline installed dependencies during this window
• You have plain-crypto-js anywhere in your dependency tree

The blast radius extends beyond direct axios users. Any package that depends on axios — and there are thousands — could have pulled in the compromised version transitively.

Immediate Remediation

Step 1: Check if you’re affected

# Check package-lock.json
grep -E "axios.*(1\.14\.1|0\.30\.4)|plain-crypto-js" package-lock.json

# Check if malicious package was installed
ls node_modules/plain-crypto-js/ 2>/dev/null

# Check yarn.lock
grep -E "axios.*(1\.14\.1|0\.30\.4)" yarn.lock

Step 2: Check for infection artifacts

# macOS
ls /Library/Caches/com.apple.act.mond 2>/dev/null

# Windows (PowerShell)
Test-Path "$env:PROGRAMDATA\wt.exe"

# Linux
ls /tmp/ld.py 2>/dev/null

Step 3: Check network logs

Look for outbound connections to:

• sfrclak.com (C2 server)
• 142.11.206.73 (C2 IP — block this directly)
• Port 8000
• Full URL pattern: http://sfrclak.com:8000/6202033

Step 4: Downgrade to safe versions

# For 1.x users
npm install [email protected]

# For 0.x users  
npm install [email protected]

Step 5: If you find evidence of compromise

• Assume full system compromise — the RAT had arbitrary command execution
• Rotate all credentials on or accessible from affected machines: API keys, SSH keys, cloud credentials, tokens, database passwords
• Rebuild affected CI/CD runners — don’t try to clean them
• Review git history for any unexpected commits from CI systems
• Audit access logs for lateral movement from affected machines
• Contact your security team if this is a corporate environment

The Bigger Picture: Supply Chain Trust

This attack follows a pattern we’ve seen repeatedly:

• SolarWinds (2020): Build system compromise
• XZ Utils (2024): Long-term social engineering of a maintainer
• Axios (2026): Credential compromise of a trusted maintainer

The common thread: trust in the release process is the attack surface. Code review, GitHub Actions, SAST, DAST — none of it matters if an attacker controls the credentials that publish to the package registry.

Defenses that would have caught or limited this:

• npm 2FA enforcement — mandatory 2FA for publishing top packages (npm has this for popular packages but enforcement is inconsistent)
• Package transparency logs — cryptographic publish attestations tied to CI/CD (GitHub’s npm provenance feature does this, but axios wasn’t using it for this release)
• Dependency pinning — pinning exact versions in package-lock.json and auditing diffs before CI runs
• Postinstall script blocking — npm config set ignore-scripts true prevents lifecycle hooks from running on install; breaks some legitimate packages but eliminates this entire attack class
• Socket / Snyk in CI — Socket detected this within 6 minutes; having it gate CI would have stopped the blast radius significantly

Current Status

As of April 2, 2026 16:00 UTC:

• Malicious versions removed from npm — [email protected] and [email protected] unpublished at ~03:15 UTC Mar 31; latest tag reverted to [email protected]
• plain-crypto-js fully removed — security-holder stub published at 04:26 UTC Mar 31; any install now returns a security notice
• Total exposure window: ~3h 19min (axios versions); ~4h 27min ([email protected]); full infection in ~15 seconds; ~600,000 estimated installs during window (SANS)
• Attribution RESOLVED: UNC1069 / Sapphire Sleet (North Korea / BlueNoroff / Lazarus Group). Google GTIG formally attributed this attack to UNC1069 on April 1, 2026; Microsoft independently attributed it to Sapphire Sleet on the same date — two vendor names for the same North Korea-nexus actor. This is a financially motivated threat actor active since at least 2018–2020 and linked to BlueNoroff’s RustBucket operations.
• Axios attack is UNRELATED to TeamPCP. GTIG explicitly confirmed these are two separate concurrent supply chain campaigns. TeamPCP’s campaign (CVE-2026-33634) and the UNC1069 axios attack share no infrastructure or operational overlap.
• Malware families officially named: SILKBELL (dropper) and WAVESHAPER.V2 (RAT) — both confirmed by GTIG
• Compromise vector: Long-lived classic npm access token (no 2FA required, no expiry) — not a password breach
• Axios maintainer (jasonsaayman) account recovery ongoing; no formal post-mortem published yet (as of 16:00 UTC April 2)
• Wiz: ~80% of monitored cloud environments have axios; 3% confirmed execution of malicious package
• Huntress confirmed 100+ infected devices from the axios compromise
• Multiple security firms published analyses: StepSecurity, Socket, Snyk, Phoenix Security, SOCRadar, The Hacker News, The Register, SANS, Huntress, Field Effect, SafeDep, N3mes1s (independent RE), Elastic Security Labs (full RAT analysis), Google GTIG (formal attribution), Wiz, Bitdefender, Malwarebytes, Picus Security
• Snyk advisories: SNYK-JS-AXIOS-15850650 · SNYK-JS-PLAINCRYPTOJS-15850652 — no CVE for axios/UNC1069 attack specifically; TeamPCP campaign separately tracked as CVE-2026-33634 (CVSS 9.4) (unrelated)
• Microsoft detection live: Backdoor:Mac/Axios.A family; Windows Stage 2 at 17/76 VT detections; Linux RAT at 2/76
• C2 infrastructure (block all): sfrclak.com, callnrwise.com, 142.11.206.73:8000
• No arrests, sanctions, or law enforcement action announced as of this update; UNC1069/Sapphire Sleet remains active
• Detection rules available: YARA (8 rules), Sigma (8 rules), Suricata (11 rules) — download from Gist
• Additional compromised packages: @qqbrowser/[email protected] and others shipped malicious [email protected] transitively
• Safe versions: [email protected] (1.x) and [email protected] (0.x)

Sources: StepSecurity · Socket · Snyk · Phoenix Security · GitHub Issue #10604 · The Register · SANS · SANS — Post-Briefing Recap · Huntress · SANS — TeamPCP Deep Dive · ramimac.me — TeamPCP Timeline · Field Effect · SafeDep — Trivy/TeamPCP · Elastic Security Labs — Full RAT Analysis · Google GTIG — UNC1069 Attribution · Google GTIG — UNC1069 Expanded Capabilities (SILENCELIFT/DEEPBREATH/CHROMEPUSH) · Microsoft — Sapphire Sleet Attribution + Mitigations · Help Net Security · Wiz · Bitdefender · Malwarebytes · Picus Security · Tenable · CSA Research Note · SOCRadar CISO Guide · InfoQ — Community Analysis

Follow @RedTeamGuides for live updates on this incident and future supply chain threats.