Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportThe Axios npm supply chain attack represents a critical compromise of one of the most widely used JavaScript HTTP client libraries in the npm ecosystem. This sophisticated supply chain attack targeted the Axios npm package, which receives over 100 million weekly downloads and is present in approximately 80% of cloud environments, creating an unprecedented blast radius across global development infrastructure.
On March 30-31, 2026, a North Korea-aligned threat actor known as UNC1069 (also tracked as BlueNoroff, Sapphire Sleet, APT 38, and Stardust Chollima under the broader Lazarus Group umbrella) successfully compromised a maintainer account for the Axios npm package using a stolen long-lived npm access token. The attackers published two malicious versions of Axios (1.14.1 and 0.30.4) that introduced a hidden malicious dependency called plain-crypto-js, which executed during the npm installation process through the postinstall lifecycle hook.
This Axios supply chain compromise affected any developer, CI/CD pipeline, or production system that executed npm install during the critical three-hour exposure window from March 31, 2026, approximately 00:21 to 03:20 UTC. The malicious dependency deployed cross-platform Remote Access Trojans (RATs) on Windows, macOS, and Linux systems without requiring any user interaction beyond the standard package installation process.
The malicious script, dubbed SILKBELL, functioned as an obfuscated JavaScript dropper that contacted a command-and-control server at sfrclak[.]com to deploy a sophisticated RAT identified as WAVESHAPER.V2 (also known as ZshBucket RAT). This malware performed extensive credential harvesting operations, targeting developer credentials, API tokens, cloud access keys for AWS, Azure, and GCP, SSH keys, database credentials, and npm tokens. The attack established persistent backdoor access while incorporating anti-forensic techniques such as deleting installation artifacts and restoring modified files to evade detection.
A critical detection indicator for the Axios compromise was the absence of OIDC (OpenID Connect) provenance metadata and SLSA (Supply-chain Levels for Software Artifacts) build attestations on the malicious releases, representing a significant departure from Axios’ standard publishing workflow. This supply chain attack demonstrates the evolving sophistication of attackers who increasingly target package distribution mechanisms rather than application code itself, following a concerning pattern established by previous incidents including SolarWinds (2020), Log4j ecosystem abuse (2021), and the npm multi-package compromises of 2025.
The Axios npm attack occurred in the context of heightened supply chain threat activity, as another threat actor tracked as TeamPCP (UNC6780) had already launched a series of back-to-back supply chain attacks targeting open-source projects including Trivy, KICS, and LiteLLM in the weeks preceding the Axios incident. This concentration of npm supply chain attacks has intensified existing concerns around developer ecosystem security and the vulnerability of open-source package repositories to coordinated compromise campaigns.
The Axios supply chain attack began with the compromise of a maintainer’s npm account using a stolen long-lived npm access token. This initial access technique allowed the UNC1069 threat actor to bypass normal authentication controls and publish malicious versions of the Axios package directly to the npm registry. The attackers demonstrated clear understanding of modern development workflows and npm publishing mechanisms, exploiting the implicit trust that developers and automated systems place in popular open-source packages.
The compromised maintainer account belonged to jasonsaayman, one of the legitimate maintainers of the Axios project. By leveraging valid account credentials through the stolen access token, the attackers were able to publish packages that appeared to originate from a trusted source, making initial detection significantly more challenging. This account compromise technique represents a sophisticated evolution in supply chain attack methodology, targeting the human and authentication layer rather than exploiting technical vulnerabilities in the package repository infrastructure itself.
Rather than modifying Axios’ core source code, which would have been more easily detected through code review processes, the attackers employed a more subtle approach by introducing a malicious dependency called plain-crypto-js into the package.json configuration of the compromised Axios versions. This malicious dependency executed through npm’s postinstall lifecycle hook, meaning that simply installing Axios during the affected period automatically triggered the compromise without requiring any user interaction or additional commands.
The attackers published two malicious versions: axios@1.14.1 targeting the current 1.x branch and axios@0.30.4 targeting the legacy 0.x branch. This dual-version strategy ensured maximum coverage across different projects and dependency trees, as some organizations continue to use older Axios versions for compatibility reasons. The malicious packages were available on the npm registry for approximately three hours, from March 31, 2026, around 00:21 to 03:20 UTC, creating a critical exposure window during which automated CI/CD pipelines and developer workstations worldwide could have been compromised.
A key technical indicator that distinguished these malicious releases from legitimate Axios packages was the absence of OIDC (OpenID Connect) provenance metadata and SLSA (Supply-chain Levels for Software Artifacts) build attestations. These security mechanisms, which Axios had previously implemented as part of its standard publishing workflow, provide cryptographic proof of package authenticity and build integrity. The absence of these attestations should have raised red flags for organizations with mature supply chain security monitoring capabilities.
Once executed through the npm postinstall hook, the malicious plain-crypto-js dependency deployed an obfuscated JavaScript dropper identified as SILKBELL. This initial-stage malware established contact with a command-and-control server located at sfrclak[.]com (IP address 142.11.206.73) over port 8000, using HTTP protocol to retrieve second-stage payloads. The malware communicated using a specific User-Agent string: “mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)” designed to blend in with legitimate web traffic.
SILKBELL functioned as a cross-platform dropper capable of deploying platform-specific Remote Access Trojans based on the victim’s operating system. The second-stage malware, identified as WAVESHAPER.V2 (also known as ZshBucket RAT), provided comprehensive remote access capabilities across Windows, macOS, and Linux environments. On Windows systems, the malware created persistence mechanisms through registry run keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate and deployed executables to %PROGRAMDATA%\wt.exe along with batch scripts at %PROGRAMDATA%\system.bat.
On macOS systems, WAVESHAPER.V2 established persistence through Launch Agents and deployed binaries to /Library/Caches/com.apple.act.mond. Linux compromises involved Python-based payloads stored at /tmp/ld.py. The malware performed extensive system reconnaissance, collecting information about the operating system, installed software, file system structure, and network configuration to facilitate subsequent attack operations and lateral movement opportunities.
The primary objective of WAVESHAPER.V2 was comprehensive credential harvesting targeting the developer ecosystem. The malware systematically searched for and exfiltrated environment variables, configuration files, credential stores, and authentication tokens commonly used in software development workflows. Specific targets included AWS access keys and secret keys, Azure service principal credentials, Google Cloud Platform service account keys, SSH private keys, database connection strings with embedded credentials, npm authentication tokens, GitHub personal access tokens, and API keys for various third-party services.
This extensive credential harvesting operation posed severe risks to compromised organizations, as developer credentials often provide broad access to source code repositories, cloud infrastructure, production databases, and CI/CD systems. The exfiltrated credentials could enable attackers to conduct follow-on operations including intellectual property theft, further supply chain attacks by compromising additional open-source projects, lateral movement within corporate networks, deployment of additional malware or ransomware, and unauthorized access to customer data or sensitive business information.
The malware incorporated sophisticated anti-forensic techniques designed to evade detection and complicate incident response efforts. After establishing persistent backdoor access and exfiltrating credentials, WAVESHAPER.V2 deleted installation artifacts including the plain-crypto-js directory from node_modules and any temporary files created during execution. The malware also attempted to restore modified files to their original state and clear relevant entries from shell history files to hide evidence of its activity from forensic analysis.
The Axios supply chain attack has been attributed with high confidence to UNC1069, a North Korea-aligned, financially motivated threat cluster that operates under the broader Lazarus Group umbrella. This threat actor is also tracked under numerous aliases across different security vendors and threat intelligence platforms, including BlueNoroff, APT 38, Stardust Chollima, CTG-6459, Nickel Gladstone, TEMP.Hermit, T-APT-15, ATK 117, Black Alicanto, Copernicium, TA444, Sapphire Sleet, TAG-71, Alluring Pisces, Selective Pisces, G0082, CryptoCore, and CageyChameleon.
UNC1069 has historically focused on financially motivated operations targeting cryptocurrency exchanges, financial institutions, and technology companies to generate revenue for the North Korean regime. The group has demonstrated advanced capabilities in social engineering, supply chain compromise, and custom malware development. The Axios attack represents an evolution in the group’s tactics, shifting from targeted attacks against specific organizations to opportunistic supply chain compromise affecting thousands of potential victims across the global software development community.
The attack demonstrated clear understanding of modern development workflows, npm package management, dependency resolution mechanisms, CI/CD pipeline automation, and the implicit trust relationships within the open-source ecosystem. This level of sophistication suggests that UNC1069 has invested significant resources in understanding developer tooling and supply chain vulnerabilities, positioning the group to conduct additional attacks against the software development ecosystem in the future.
The Axios compromise occurred within a broader pattern of escalating supply chain attacks targeting the npm ecosystem. In the weeks immediately preceding the Axios incident, another threat actor tracked as TeamPCP (UNC6780) launched a series of back-to-back supply chain attacks targeting popular open-source security and AI projects including Trivy (a vulnerability scanner), KICS (an infrastructure-as-code security tool), and LiteLLM (a library for interacting with large language models). This concentration of npm supply chain activity across multiple threat actors has created a heightened threat environment for the JavaScript development community.
The Axios attack follows a concerning historical pattern of high-impact supply chain compromises including the SolarWinds Orion platform compromise in 2020, widespread abuse of Log4j vulnerabilities and the broader Log4j ecosystem in 2021, and numerous npm multi-package compromises throughout 2025. These incidents collectively demonstrate a strategic shift among sophisticated threat actors, who increasingly recognize that compromising widely used dependencies and development tools provides more efficient attack vectors than targeting individual applications or organizations directly.
Organizations must immediately roll back all Axios installations to version 1.14.0 for the 1.x branch or 0.30.3 for the 0.x legacy branch. Security teams should verify that no lockfiles including package-lock.json, yarn.lock, or pnpm-lock.yaml reference the malicious versions 1.14.1 or 0.30.4 in any project or environment. The node_modules/plain-crypto-js directory should be manually removed from all development workstations, build servers, and production environments where it may have been installed. This remediation should be prioritized as the most critical immediate action to prevent ongoing malware execution and credential exfiltration.
Development teams must remove caret (^) and tilde (~) version range prefixes from package.json files to prevent automatic resolution to malicious versions during future npm install operations. Organizations should implement overrides blocks in package.json or resolutions blocks in yarn’s package.json to force pinned versions for transitive dependencies that may indirectly depend on Axios. Automated dependency update tools including Dependabot, Renovate, and similar bots should be temporarily disabled from automatically upgrading Axios packages until the threat landscape has stabilized and comprehensive verification processes have been implemented. This dependency pinning strategy provides defense-in-depth against future supply chain attacks that exploit automated version resolution mechanisms.
Security teams must assume that all environment variables, API tokens, cloud access keys for AWS, Azure, and GCP, SSH private keys, database credentials, npm authentication tokens, and CI/CD secrets present on any system where the malicious Axios packages executed have been compromised and exfiltrated. These credentials must be rotated immediately from a known-clean machine that was not exposed to the malicious packages. Organizations should review access logs, CloudTrail logs, and authentication logs for anomalous activity patterns that may indicate unauthorized access using exfiltrated credentials. This comprehensive credential rotation operation should be treated as a potential full compromise scenario given the extensive credential harvesting capabilities of WAVESHAPER.V2.
Network security teams must block all inbound and outbound traffic to the primary command-and-control domain sfrclak.com, its associated IP address 142.11.206.73, and communications over port 8000 at network firewalls, DNS filtering services, and corporate web proxies. Additionally, organizations should block the related pivot domain callnrwise.com and monitor for connection attempts to suspected related infrastructure including IP addresses 23.254.203.244 and 23.254.167.216. These network-level controls provide detective and preventive capabilities to identify compromised systems attempting to communicate with attacker infrastructure and to prevent successful command-and-control channel establishment for any residual malware instances.
DevOps and security teams must comprehensively review all CI/CD pipeline execution logs for npm install, yarn install, or pnpm install operations that occurred between 00:21 and 03:15 UTC on March 31, 2026. Any persistent self-hosted runner, including GitHub Actions self-hosted runners, GitLab Runners, Jenkins agents, or Azure DevOps agents, that installed the affected Axios versions during this window should be treated as fully compromised and rebuilt from trusted base images. For ephemeral runners that were destroyed after use, organizations must rotate all secrets and credentials that were injected as environment variables or configuration during the compromised execution window, as these credentials should be considered exfiltrated.
Development teams should configure automated build processes to use npm ci –ignore-scripts instead of standard npm install commands to prevent postinstall lifecycle hooks from executing during CI/CD operations. Organizations can configure npm globally with npm config set ignore-scripts true in CI/CD environments to establish a default-deny posture for script execution during package installation. This configuration change blocks a common supply chain attack vector used by malicious packages that rely on lifecycle script execution for initial compromise. Development teams should maintain an explicit allowlist of packages that require postinstall scripts for legitimate functionality and manually review these scripts before adding them to the allowlist.
Domains: sfrclak[.]com, callnrwise[.]com
IP Addresses: 142[.]11[.]206[.]73, 23[.]254[.]203[.]244, 23[.]254[.]167[.]216
URLs: hxxp[:]//sfrclak[.]com:8000/6202033, hxxp[:]//sfrclak[.]com:8000
npm Packages: axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1
Compromised npm Account: jasonsaayman
Attacker npm Account: nrwise
npm Identifiers: packages.npm.org/product0, packages.npm.org/product1, packages.npm.org/product2
Windows File Paths: %PROGRAMDATA%\wt.exe, %PROGRAMDATA%\system.bat, %TEMP%\6202033.vbs, %TEMP%\6202033.ps1
macOS File Paths: /Library/Caches/com.apple.act.mond
Linux File Paths: /tmp/ld.py
Windows Registry Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate
User-Agent String: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)
Email Addresses: ifstap@proton[.]me, nrwise@proton[.]me
SHA256 Hashes:
SHA1 Hashes:
T1195: Supply Chain Compromise
T1078: Valid Accounts
T1059: Command and Scripting Interpreter
T1547: Boot or Logon Autostart Execution
T1070: Indicator Removal
T1036: Masquerading
T1027: Obfuscated Files or Information
T1620: Reflective Code Loading
T1082: System Information Discovery
T1083: File and Directory Discovery
T1071: Application Layer Protocol
T1105: Ingress Tool Transfer
T1552: Unsecured Credentials
https://socket.dev/blog/axios-npm-package-compromised
https://www.sans.org/blog/axios-npm-supply-chain-compromise-malicious-packages-remote-access-trojan
https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack
https://www.sophos.com/en-us/blog/axios-npm-package-compromised-to-deploy-malware
https://unit42.paloaltonetworks.com/axios-supply-chain-attack/
Get through updates and upcoming events, and more directly in your inbox