🛡️ Threat Intelligence Report: Axios npm Supply Chain Attack

1. Reports Summary Table

2. Executive Summary

Overview

On March 31, 2026, a critical supply chain attack was executed against the Axios npm package — one of the most widely used JavaScript HTTP client libraries in the world, with over 100 million weekly downloads and deployment in approximately 80% of cloud and code environments. A threat actor compromised the npm maintainer credentials of the primary Axios maintainer and published two malicious versions: 1.14.1 and 0.30.4. These versions introduced a single new dependency, plain-crypto-js@4.2.1, a typosquat of the legitimate crypto-js package, which served as a multi-stage dropper for a cross-platform Remote Access Trojan (RAT).

The exposure window lasted approximately 169 minutes (from 00:21 to 03:20 UTC on March 31, 2026) before npm intervened and removed the compromised packages. During this window, an undetermined number of developer machines, CI/CD pipelines, and production environments installed the malicious code. Wiz reports that at least 3% of monitored environments showed execution of the compromised packages.

Google's Threat Intelligence Group (GTIG) and Mandiant attributed this attack to UNC1069, a financially motivated North Korea-nexus threat actor. The malware deployed is tracked as WAVESHAPER.V2, a sophisticated RAT with reconnaissance, command execution, PE injection, and persistent C2 capabilities.

Diagram: Attack Flow Overview

┌─────────────────────────────────────────────────────────────────────┐
│                     AXIOS SUPPLY CHAIN ATTACK FLOW                  │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  1. INITIAL ACCESS                                                  │
│  ┌──────────────────┐    ┌──────────────────────┐                   │
│  │ Stolen npm Token  │───▶│ Maintainer Account   │                   │
│  │ (classic token)   │    │ Takeover             │                   │
│  └──────────────────┘    └──────────┬───────────┘                   │
│                                     │                               │
│  2. DELIVERY                        ▼                               │
│  ┌──────────────────────────────────────────────────────┐           │
│  │ Publish axios@1.14.1 & axios@0.30.4 to npm           │           │
│  │ + dependency: plain-crypto-js@4.2.1 (typosquat)      │           │
│  └──────────────────────────┬───────────────────────────┘           │
│                             │                                       │
│  3. EXECUTION               ▼                                       │
│  ┌──────────────────────────────────────────────────────┐           │
│  │ postinstall hook → setup.js (XOR + Base64 obfuscated) │           │
│  │ Detects OS → Fetches platform-specific RAT from C2    │           │
│  │ Self-deletes + restores clean package.json             │           │
│  └──────┬──────────────────┬───────────────┬────────────┘           │
│         │                  │               │                        │
│         ▼                  ▼               ▼                        │
│  ┌────────────┐   ┌──────────────┐  ┌────────────┐                 │
│  │  Windows    │   │   macOS       │  │   Linux    │                 │
│  │ PowerShell  │   │  Mach-O RAT   │  │ Python RAT │                 │
│  │ RAT + Reg   │   │  + AppleScript│  │ /tmp/ld.py │                 │
│  │ Persistence │   │  + Codesign   │  │ No persist │                 │
│  └──────┬─────┘   └──────┬───────┘  └─────┬──────┘                 │
│         │                │               │                          │
│  4. COMMAND & CONTROL    ▼               ▼                          │
│  ┌──────────────────────────────────────────────────────┐           │
│  │ C2: sfrclak[.]com:8000 (142.11.206.73)               │           │
│  │ Protocol: HTTP POST, Base64 JSON, 60s beacon interval │           │
│  │ User-Agent: IE8/WinXP (static)                        │           │
│  │ Capabilities: exec, peinject, dir listing, recon      │           │
│  └──────────────────────────────────────────────────────┘           │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Attribution & Threat Actor

UNC1069 (per Google GTIG/Mandiant) is a North Korea-nexus financially motivated threat group. Key attribution indicators include:

• Infrastructure overlap with prior UNC1069 campaigns (domain sfrclak[.]com, IP 142.11.206.73, secondary IP 23.254.167.216).
• Use of the WAVESHAPER.V2 backdoor family, a known UNC1069 tool.
• The SILKBELL dropper component (setup.js) matches previously observed UNC1069 tooling patterns.
• Attacker-controlled email ifstap@proton.me was used to take over the maintainer account.
• A secondary email nrwise@proton.me was also observed in connection with the compromised accounts.

Note: The Datadog report noted that attribution artifacts in the payloads did not match the recent TeamPCP supply chain campaign, suggesting UNC1069 operates as a separate cluster within the DPRK cyber operations ecosystem.

3. Technical Details

3.1 Malware Analysis

Stage 0: Account Compromise

The attack began with the theft of a classic npm access token (long-lived, non-2FA-protected) belonging to the primary Axios maintainer (jasonsaayman). The attacker changed the account email to ifstap@proton.me and gained publishing permissions that exceeded those of other maintainers. The attacker then bypassed the legitimate CI/CD pipeline and published directly from the hijacked account.

Stage 1: Malicious Dependency Injection

Two axios versions were published:

• axios@1.14.1 (targeting latest users)
• axios@0.30.4 (targeting users pinned to the 0.x branch)

Both versions were identical to their legitimate predecessors except for one change: the addition of plain-crypto-js@4.2.1 as a dependency. This package had been staged with a clean version (4.2.0) minutes before the attack to avoid suspicion.

Stage 2: Obfuscated Dropper (setup.js)

The plain-crypto-js package contained an obfuscated JavaScript file (setup.js, ~4 KB) triggered via npm's postinstall hook. The dropper employed:

• Two-layer encoding: Reversed Base64 + custom XOR cipher (key: OrDeR_7077)
• OS detection: Branched execution to Windows, macOS, or Linux-specific routines
• Anti-forensics: Self-deleted setup.js and restored original package.json after payload delivery
• Speed: All dropper operations completed in under 2 seconds, before npm finished installing other dependencies
• Campaign identifier: 6202033 embedded throughout the tooling

Stage 3: Platform-Specific RAT Payloads (WAVESHAPER.V2)

macOS:

• Downloaded a universal Mach-O binary RAT to /Library/Caches/com.apple.act.mond
• Delivered via AppleScript, executed through zsh
• Ad-hoc codesigned to bypass Gatekeeper
• Masqueraded as a legitimate Apple process
• Most complete and functional payload (per Datadog analysis)
• No persistence mechanism implemented

Windows:

• Downloaded a PowerShell RAT via VBScript wrapper
• Copied legitimate powershell.exe to %PROGRAMDATA%\wt.exe to evade EDR
• Persistence via registry Run key (MicrosoftUpdate in HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and hidden batch file (%PROGRAMDATA%\system.bat)
• Supported reflective .NET PE injection (fileless, in-memory)
• Per Datadog, the Windows script had a bug that prevented proper beaconing initiation

Linux:

• Downloaded Python script to /tmp/ld.py via curl
• No persistence mechanism
• Per Datadog, the Linux RAT crashed in most containerized environments due to improper user information retrieval
• Linux payload was never fully recovered by researchers (per derp.ca)

RAT Capabilities (All Platforms)

All WAVESHAPER.V2 variants shared a common C2 protocol and command set:

3.2 Infrastructure Analysis

The infrastructure was dismantled shortly after npm removed the compromised packages. No prior malicious activity was associated with the C2 infrastructure before this campaign.

3.3 Downstream Propagation

Two additional npm packages were found to have vendored or depended on the trojanized Axios, propagating the compromise further into the ecosystem:

• @shadanai/openclaw
• @qqbrowser/openclaw-qbot (v0.0.130)

These packages either bundled the trojanized dependency directly or pulled in the tampered Axios, demonstrating how a single poisoned package can rapidly contaminate downstream dependencies, especially in automated CI/CD pipelines.

4. Detection Opportunities

4.1 Behavioral Detections (per Elastic Security Labs)

Elastic's behavioral detection strategy proved highly effective. Recommended detection rules focus on:

• Process ancestry monitoring: Node.js processes spawning OS-native shells (sh, cscript, osascript) that then fetch and execute remote payloads
• Network retrieval by interpreters: PowerShell, Python, curl/wget downloading executables from non-standard ports
• Background execution detachment: Child processes detaching from parent node process tree
• Renamed signed binaries: Detection of powershell.exe copied to non-standard paths (e.g., wt.exe)

4.2 Network-Based Detections

• Monitor for HTTP POST traffic to port 8000 with IE8/Windows XP User-Agent strings
• Alert on POST body patterns containing packages.npm.org/product strings to non-npm infrastructure
• Block/alert on traffic to sfrclak[.]com and 142.11.206.73

4.3 Host-Based Detections

• macOS: Presence of /Library/Caches/com.apple.act.mond (unsigned or ad-hoc signed Mach-O binary)
• Windows: Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate, presence of %PROGRAMDATA%\wt.exe or %PROGRAMDATA%\system.bat
• Linux: Presence of /tmp/ld.py
• All platforms: npm audit for axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1

4.4 Sophos Detection Signatures

• JS/Agent-BLYB (JavaScript dropper)
• Troj/PSAgent-CN (PowerShell RAT)

4.5 Package Ecosystem Checks

• Audit for advisory IDs: GHSA-fw8c-xr5c-95f9, MAL-2026-2306
• Verify axios package publisher metadata (check for unexpected email changes)
• Monitor for npm packages with postinstall hooks pulling previously unknown dependencies

5. Conclusion

The Axios npm supply chain attack represents one of the most significant software supply chain compromises in recent memory. Key takeaways across all 12 analyzed sources:

1. Scale of Impact: With ~100M weekly downloads, the blast radius was enormous, though the 169-minute exposure window limited actual propagation. Wiz estimated 3% of monitored environments executed the compromised code.

2. Sophistication: The attack demonstrated advanced tradecraft — multi-layer obfuscation, cross-platform RAT delivery, anti-forensic cleanup, and C2 traffic masquerading as legitimate npm registry activity.

3. Operational Weaknesses: Despite the sophisticated initial compromise, the RAT payloads contained bugs: the Windows variant failed to beacon properly, and the Linux variant crashed in containers — suggesting possible rush to deployment or limited testing.

4. Attribution: Google GTIG/Mandiant attributed the attack to UNC1069, a North Korea-nexus threat actor, based on infrastructure and tooling overlaps with prior campaigns. Not all sources agreed on attribution; Datadog noted the attack did not match the TeamPCP campaign cluster.

5. Systemic Risk: This incident exposes fundamental weaknesses in the npm ecosystem: long-lived access tokens, lack of mandatory 2FA for critical packages, insufficient publishing provenance controls, and the transitive trust model that allows a single compromised dependency to cascade to millions of consumers.

Recommended Immediate Actions:

• Audit all environments for axios@1.14.1, axios@0.30.4, and plain-crypto-js@4.2.1
• Rotate all credentials potentially exposed on compromised systems
• Review CI/CD pipeline logs for anomalous npm install activity during the exposure window (March 31, 00:21–03:20 UTC)
• Monitor for C2 indicators and file artifacts listed below
• Pin and lock dependency versions; enable npm audit in CI pipelines

6. Indicators of Compromise (IoC List)

6.1 Network Indicators

6.2 File Hashes — Malicious Packages

6.3 File Hashes — Payloads

6.4 File System Artifacts

6.5 Registry Indicators (Windows)

6.6 Malicious npm Package Identifiers

6.7 Advisory IDs

6.8 Obfuscation Artifacts

7. MITRE ATT&CK Techniques

Report generated by TI Mindmap HUB — Cross-source Threat Intelligence Analysis Analysis date: 2026-04-01 | Sources analyzed: 12 | Classification: TLP:WHITE